 I can already welcome you all to this first cells lunchtime lecture of 2021. Welcome everyone. And my special welcome today goes half, half around the world. Welcome to Professor Damian Chalmers, who's the vice dean of research and the international professor at NUS. He is a known authority in European Union law, also because he worked at the LLC for 24 years as academic and later professor. He has a distinguished publishing career. And today he's going to talk to us about his take on data protection and data self determination. A very warm welcome, Professor Chalmers and I should remind participants that please use the Q&A tab. If you have any questions and we will pick up your questions after Professor Chalmers presentation. Thank you very much, Marcus. Thank you very much everyone. It's a real privilege to be invited. I tend to waffle on and I've got quite a few slides. So I'm just working out the share screen technology, which I hopefully will do. And I will just give you a brief summary of what I'm going to talk about today. So if I run out of time, then please give you a brief idea of what it is. Data protection is sort of like a new area for me and GDPR is, anyone does a Google search will find it's an extensively researched area. I've got interested particularly in the comparative political economy of it, particularly how it's informing and beginning to shape these protection regimes around the world, particularly outside Europe and the US. And to do that I thought I wanted to just understand a little bit what was going on to my mind in the EU. And this is a paper presentation that aims to do that. So the argument goes something like this, that if you look at the right to privacy, as it's historically developed. So what are people as a famous book by Daniel Salah that says it's a fair who argues conceptually fairly incoherent right to find a core of the right to the right to privacy or the right to respect the privacy is quite challenging. I tend to take the view that the way privacy has evolved has been a little bit different there is a logic to it, even if one's looking into the doctrine is sometimes a little bit contradictory. The logics, historically been this certainly I think you'd say up until the early 90s it was the following that the processes of modern life can put unreasonable demands on individuals and privacy is there really to police is unreasonable demands, and as the processes change over time. So the doctrinal content of this right changes these processes and their demands have shaped the doctrine a little bit. Now what has happened with data protection was, I think we could see that in the early years. But when one got towards developing in particular the single market. This protection, particular the 95 develop directive and these these developments being accelerated significantly by the GDPR privacy acquired a new dimension, in addition to this became associated also as almost a good a right entitlement to the management of one's personal development, what privacy increasingly was about was cultivating cultivating the individuals personal development, often for them, and how this was managed. And because it acquired the became if you like a good and it's own right a process and it's own right. This meant that the unreasonable demands that data protection is put on and being poorly policed. This is basically the argument. Nice. I'll start and I'll just do it in a second by sort of clearing the brush a bit. And giving you for those of you who are EU lawyers or other protection experts, beginners sweep through the GDPR and pointing out some paradoxes about it. On the one hand, it's, it's hailed as marvelous, but on the other, there were many things that are quite problematic about it. And what I'll argue in this paper is that a lot of the challenges with this arose from the transplant of a principle of German constitutional law, the principle of information self determination which works. Works pretty well within the German constitutional context to EU economic law became a market making principle. And this principle above everything else and the way it was transplanted by you generated a lot of the shape of the market we currently now have in the EU, but increasingly also beyond. This is an argument and if I run out of time, hopefully that'll just keep you on board. So the GDPR, the regulation to 2016 six, six out of nine, a beginner's guide for it. First of all, it sets a lot of certainly for mention this of six conditions by which your personal data my personal data may be processed by members maybe managed held disclosed you stored by someone else. The first is where there's express consent that consent has to be free specific and informed on ambiguous ambiguous. I also put examples, I also put their set of properties for consent, where the data in particular, where the data is necessary for the performance of another contract to which the subject is party, or I've asked someone to enter into such a contract and preparatory step, and the data is necessary for that. The second instance is the third circumstance where it can be used is where the person, the person charged of using it has a legitimate interest in using it, but this has to be balanced against this my civil liberties in particular my privacy. The fourth is where they think this is where I don't necessarily present my vital interests. And the final one is where it's necessary to fight the fifth and the sixth was in the public interest, or the some related exercise of authority. So there's a circumstances when if you like someone else can use have disclosed your personal data. So inside that, there are quite extensive responsibilities that are put in charge of the data controller the person in charge of all of this. They can only do this if it's an accordance with the law but it's just wasn't fair that they have to use this accurate they have to ensure that it's secure, and they have to ensure that the data that the process is proportionate for longer to the purposes for which it's being used relevant to those purposes and adequate. Next they have to communicate to the data subject in particular, provide clear information about what they're doing with the data. Thirdly, this is one of the significant innovations of the GDPR. There's a principle of data protection by design, but they should take technical organizational measures to minimize the personal data that process process issues. State of the art technology where possible to ensure as little personal data process as possible. What they do with a high risk from the data store or they're using new technologies is a particular forms of AI is carry out an impact assessment on protection personal data. And with a core activity is significant processing. They have to have data protection officers like compliance officers. Finally, finally, and I'm just putting you have the right to the data subject haven't I'm not dealing with the regulatory bodies. I have the subject of the right to ascertain and be notified of the purposes for which one's data they're using the processing was data, either might disclose it to and this was added by the GDPR, the period for which it's going to be held. To correct in that one inaccurate data, the data they put is just not true. The right to raise data. This is the right to be forgotten with the grounds for processing and disappeared. There's the rate to data portability. This is a new right handed by the GDPR where if you're, you should be able to take your data and have it processed by someone else and has to be on the form, you can sort of carry it to someone else. Finally, you have the right to object to someone using your data for profiling purposes, particularly where this thing under the public interest heading, or the legitimate interest of the processor. So that is a beginner's guide and a very crude guide to what the GDPR is about does. There are some paradoxes when you look at the GDPR for my mind to my mind these were really significant paradoxes. The first is it's amazingly influential. This is why the European Commission just can't talk about the GDPR enough at the moment to or data society. Even though big tech doesn't have to incorporate its requirements for stuff outside the EU, you'll find it incorporated into all of the comments of big big tech companies. There's been a rush of laws around the world to parallel the GDPR terms. So it must be a bit careful because a lot of states will say that they aren't doing it for this purposes, and the laws often have significant divergences with the GDPR. But in Indonesia, Malaysia, Singapore will change their laws. Japan, South Korea have Brazil has Kenya has and the California Consumer Protection Act, although there's a lot of debate about it at 2020. There are parallels as seen between it and the GDPR. So the GDPR has had some transport transporting effects. In some cases it's for states have free trade agreements and they want to have free amount of data with the EU. I think that's certainly the case for Singapore, Japan and South Korea. The third thing the EU has modestly marked its own homework and called it a Magna Carta the GDPR. And they're particularly proud that other international bodies like the GDPR, particularly because of its notion of consent. That's at its heart. And they point, the commissions pointed to a speech by the UN Secretary General in December 2019, the Italian Senate, said the EU should lead the digital age. And so that's, von de Lenz been talking to Biden about a new common rule book and I don't think she's thinking that the EU follow US data protection law but more the US align itself where possible with the GDPR. Now that's all very well. But you then, if you look at what's happening on the ground, you find a lot of contradictions about the GDPR. There were no levels of compliance with the GDPR. There were studies done one year after it came in which suggested many as 72% of companies were missing their obligations. There was an interesting report by the UK Information Commission officer which looked at the data-broken industry. These are the big harvesters of data in the world. In the UK they have data on absolutely everyone in the UK. They were breaking the GDPR in quite flagrant ways. There are arguments at data brokerage, which is one of the most problematic industries for protection of personal data is less well-policed in the EU than the US. The point about the GDPR at its most extensive, so this is how I expect the Court of Justice to interpret it, is it allows any data for which I can become identifiable is caught by the GDPR is very over inclusive. It can include so much if you think about the data that can be covered by that, not just data that relates directly to me but anything by which machine can identify me. So some critics the Court talked about becoming the law of everything. Thirdly, whilst it's a fashionable the slag of China, particularly China's use of information technology, it's an interesting thought experience to consider with the GDPR prohibit what China does. So if you looked at China's extensive surveillance in Xinjiang, which really is like something out of Tom Cruise film, that would almost certainly be allowed on the GDPR and the state security grounds. The ant social credit scheme, which is actually now being attacked in China by the authorities, which is this idea that everyone has a social score based on almost everything isn't a world array from the five C's credit rating systems are actually used in places like the UK. And finally, when always has to be a bit skeptical about a system of being the Magna Carta for data protection when Amazon and Axiom, which is the world's, I think, biggest data broker. So this is absolutely fantastic in the US should have it. So it's worth thinking a little bit what's going on here, whether GDPR, you know, clearly has some promise, but there are contradictions there. I'll just take you now through a little bit through my argument and just bear with me a second because I haven't actually set to find I'm doing for time. So, the arguments about privacy. Now, historically, privacy has been known as a famous article by Brandeis and Warren from 1890. Long-sanding law articles laying over 100 years and it's still not in which some sort of record I think from a law review, it was a law of use. And the piece from privacy, they said, privacy is the right to be let alone. This is historical, your privacy that the early cases in the European Court of Human Rights talked about this as the right to protection from arbitrary interference from the state. Historically, we think of privacy as seclusion. Even if one starts with that definition, what is interesting about that is that notion is associated with the early 19th century. And there was the growth of the administrative state of extensive policing classification, detailed regulations, identity at that stage was as understanding that the crime has ought to conform to particular types. So it was very much a reaction, that definition of privacy against this move for conformity and this growth of the over extensive administrative state. What begins to happen in the 50s and 60s is that privacy requires a new meaning. And this is privacy concerns began to emerge, not about the state poking into our bedrooms, just about what it did with all the information already had about us. This became increasingly increasing concerns about this with the growth of the welfare state, use of censuses, the series of scandals in Europe and particularly in the 1960s. What you find in the US in the information practices, Council of Europe resolutions that began to emerge, legislation that developed first of all in HESA, the first place in Germany in Europe to have it, the question of land and then in Sweden in the early 70s was governance on how public administrations, but also private organizations, but they were seen as less of a problem at that stage or less acute problem, managed the information had about us so data was only bigger to be collected if it was proportionate to the purposes that characters will collect lawful purposes that to be accurate enough to date and subjects had to know what was held about them and be able to check if it was accurate. And there were concern there were also particular worries about sensitive data data might be used to. I tried to pressurize the subject. And this was very much the view of privacy that was taken of the 60s and 70s. But then something quite interesting happens in the mid 70s. The US, which was concerned increasingly as it began to credit card industries, things that want to use individuals data for transnational transactions began to get worried that the growth of the laws that were developing in Western Europe in particular that time, this impede free flow of information, which began to be developed quite aggressively and transnational trade prefer the free flow of information case law from the 60s by the US Supreme Court. In the meantime, the Council of Europe comes to the idea that having a general privacy convention might be a good thing, because it saw parallels in how all European states are handling this issue of governance, how we are known. And this kind of left in the mid 70s around two things. The OECD became a forum for developing common principles and privacy to allow transnational flows of information. Alongside that was agreed that the Council of Europe pay heed to this and develop a convention convention became convention 108 on the processing of personal data. Now, both the OECD guidelines and the Council of Europe convention. We articulate the elaborate a little bit more but basically we articulate the stuff that had been developed in national practice and earlier Council of Europe resolutions on governance of how we're known. They did two further things like dealt with this issue of transnational flows of information. Now the way the OECD guidelines dealt with it was to say that in principle these privacy restrictions were only permissible if they were proportionate if they did not exceed what was necessary to protect privacy. The states could hold on to it but not go much further. Now the states could impose restrictions but they had to be related and proportionate to these governance requirements. The Council of Europe convention went much further. Convention 108 does something very interesting and the one hand it says it's iconography iconography is that it's about protecting privacy. It's nothing else. It's about protecting the right to respect for privacy in the context of processing data. But then it relativizes this right both in the preamble and article 12. And the preamble it says this right has to be reconciled with this is the fundamental right. I'm not sure existed at that time in Europe to free flow of information so very much a US concept. And then in article 12 it doesn't reconcile it just says basically that there should be no restrictions on flow of data on grounds of privacy. There's two exceptions for this one is for sensitive data. Where there's not equivalence between two states and the other is where the data might be retransferred to a state that is not in the Council of Europe not part of the convention. Now here one has something quite unusual. The privacy is now you've been used for something quite unique as a justification for transnational flows of information. The convention and sometimes on the OECD guidelines only make sense if you understand that now becomes something with privacy is the justification of transactions and personal data. However, the problem with the convention was that didn't really create a market, they didn't really specify for what purposes personal data could be processed and very very generic generic. There was still a lot of disagreement and difference in laws about when there could be transactions and personal data. And this was picked up beginning of the 80s in quite a significant way by the Commission in the European Parliament who said Europe had to do something about this had to be greater harmonization. It's part of the single European Act on the basis of convention 108. But it just didn't really get anywhere for many years, because crudely the member states didn't see much interest in the market and personal data at that stage so it's well before really the growth of the internet. Things changed as they began to be concerns about use of data within the context of Schengen. In 1995 you get Directive 9546 EC, which is the first significant EU law instrument on protection and personal data protection directive. Now, my view is this directive set in place as the template for the GDPR and many ways, when finding the GDPR is just an acceleration with one or two significant things of this directive. But what this directive does that's really significant is it creates a market, an autonomous market in personal data. First of all, at every, every aspect. First of all, the EU law gate keeps who I'm walking into the market data can be processed within the EU on for the grounds of the set up new law. It's exhaustive harmonization states can't introduce new grounds and they come if data meets the six purposes stipulated by you or have to allow it to be processed. Secondly, the, this is the old definition of personal data specifies the subject matter of the market by setting out a definition of data. Thirdly, we're setting out a definition of processing it specifies the types of transactions that can take place then specifies the market act as data subjects who can transact in their own data, data controllers who can be in charge of processing the data of others. And then it does it provides a limited liberalization transnationalization of this right it says in principle data that meets this directive states come restrict its flows transnational flows on grounds of fundamental rights. Now, that is an accrued way, what the directive says but that in itself I do not think is particularly interesting. I just said a little bit about principle of information sub determination and how I see it as interesting. The directive before I come on to print but that's something very interesting in Article one. It says, its purposes are to do two things one one, it's to ensure that member states respect privacy. In the data. And the second thing is, it really provides for liberalization of trade and personal data. It's based on what's now one one four and article one two has this market access provision. The background to the directive was that German law was highly influential. And it's worth me just saying what I'm talking about here particular was the directive refers repeatedly to the right to respect privacy. It's worth thinking who's right to respect privacy. And the conception that as I see was set out in general interpretation of that information self determination is pretty influential. The right to informational self determination is stemmed from a 1983 judgment of the German constitutional court, which all Germans Marcus and Charles very familiar with, which were they had to review and they found repugnant various elements of a census act on 1983. So we're going to set out this new right, which they said involved two things that involved first of all, the right to self determination, which is a right to choose whether to disclose data about oneself. And whether to follow up on that choice. I'll come back to that this element of choice and liberation. And after that they said the right to informational self determination includes rights of personality in the in this judgment so they said two aspects of sort of an enviable I shouldn't say private law and variable for private area of individual right to this purpose is they also have said it involved the right to publicly represent oneself rights to determine to a certain extent how was represented to others. Now they said that it followed from these two things that individuals had a right to correct to know and correct what was known about them. So this particularly so because of three reasons and this is my, my language not the courts, free risks omniscience was a concern that if someone knew everything about you. It might chill the actions that you take might be frozen from doing things either in social life or political life. There's a danger they might represent what you're about might put out false data. And finally they might use this information to manipulate manipulate you. Now, the right to informational self determination only has a relative weight in German, because it can be used by individuals to stop freedom of expression to stop. It can be outweighed in two other circumstances, where, and then the court said, one is the public interest and one is the legitimate interests of others. When I was thinking about legitimate interests of others thinking particularly about journalists. In that judgment, it is a judgment very much a German public born German constitutional strong ideas in a vibrant from public sphere, and a balance between that and this idea of individual private choice and his right to personality links to human dignity. Now, I think the link between it and the directive and between current to you law is quite strong for a number of reasons. First of all, the people who had been strongly involved with principle of information self determination in general constitutional particular cost of submitters who set up the first hassle act was involved in drafting the directive and had a pretty exclusive role in self determination only allowed them to be really involved with the initial proposal. So, it's architects were pretty much the same. Secondly, if you just look at the walking one say the Constitution context, this was the period of venture. And, you know, so long ago current, you know, you lawyers knew that they would get a free pass in this civil liberties sensitive area, if they could show that their protection was at least as good as that. There was a commitment to being at least as good as that in national constitutional law. And this was the main national constitutional court judgment at the time so satisfied this, you'd be fine. And thirdly, if you look at the directive at a formal level parallels in a very powerful way, the information self determination. So the market constitution reasons the reasons for allowing that to be transacted follow the information so determination consent public interest legitimate interests. Secondly, one can find the same market regulating controls that all about the right to know and correct what is known about you. The right to be forgotten so much later I was developed in 2014 by ECJ case law. Thirdly, there is this concern, albeit perhaps not as authentic in my view, as that of the German constitutional court with a private sphere data process and personal household activities is excluded. The legitimate interest of progress have to be balanced against the right privacy of the data subject. And there were some restrictions where we're profiling takes place. And actually, those would be I think the good intentions of the architects. But this transplant is all about the danger of what happens when you transplant one principle for one area of law this German constitutional law to another to EU economic law. And I'll just go through this, and then I'll probably whiz through the things. The first thing that happened with the directive was that it changed the main the central basis for which data was processed. If you look in the German constitutional the 1983 Census Act government. The reason public authorities say they can process is normally the public interest. In this particular case with market actors. They will always be arguing or trying to get the consent one way or another of the data, data subject. Now this has an interesting effect. It means that realization privacy or informational self determination, my choice to disclose and realization will market often become the same event agreement to allow someone to use your data becomes a transaction or the transaction. The second feature that's unusual about consent with GDPR and the predecessor is that we're in a general constitutional consent was central to allowing individuals to reflect deliberate they could change their mind. Consent is used in a different way in the EU data protection law. It's obtained promise that if the other party asked you for data and you sort of agree, then you almost bound to let me use it at least for a while. So it's stripped of its elements of reflection information reconsideration. There's none of the cooling off periods you'd have with the you can consume protection. Now, as a consequence of consent becoming the main vehicle for processing something else quite interesting happens. But if you look at the informational self determination principle. It now becomes about not governing. It gets removed from its initial context which discussion of relationship individual and state the governing private relations. And this is only something that was agreed by in general constitutional call by which should be set in 2019. And not just that it taxes those relations and what I mean by that is the person that's processing the individual that you are personal data has a lot of duties it costs the money. And so there has to be a good reason or return for them doing it. And next it says something quite interesting about privacy, both informational self determination and the dbtd that say there is no collective interest in my seclusion. I have a right to let someone else know everything about me, absolutely everything no matter how intimate, how shaming, how gross. Now, the original principle said well that's done so on the axis of choice. It is slightly different with the dbtd with you data protection, because it's no longer about choice. You do this to help establish a market, there are incentives on the markets, the market is given over to ensuring the efficiency of the management of this information but in terms of it, the allocated efficiently or used efficient produced efficiently. So, there is a collective interest in sharing that information, it may be subject to my consent, but it's the collective interest is now weighed further in favor of a bit of software in favor of sharing that information. Now if that's so, what does it mean to say well this is about protecting privacy, it's not about protecting seclusion anymore. Now, ECJ has been absolutely clear that the data protection directive realises the right to privacy and the right to data protection invented a new fundamental right for us. Pushkir says that if you meet the requirements of data protection directive, you meet the requirements of these rights, they're one and the same thing, that's the 2017 ECJ judgment from Slovakia. Now my only view when I looked at it was looking at how it's developed in the US and there's some ECH case nor on this. So the privacy is moving towards what is an individual right to personal development, but to a notion of personal development, but what happens when people share their privacy. They get the access to important spaces, virtual spaces, the ECH case nor specifically about the right to people with disabilities to use public spaces or you could use article H for that. And increasingly privacy has been seen in that right. That in my view that was taking place and I don't say this is any defender of this is the privacy is you being used as a management of your personal development. That's what is happening with the Facebook or wherever else as guardians of this semi private space. This protection experts people like Dana board have pointed out that you know teenagers on the use Facebook is precisely as a semi private space to converse with other teenagers for good and for bad away from their parents. So they've moved the information society and privacy to this idea of personal development. Alongside this, a number of other things happen because it may be in our guardians of your personal development, but it's a market. And the market relies on information rather than personal knowledge. So they stripped down your personal knowledge to bite sized bits, but they also stripped down your knowledge, the takeaway tacit knowledge, it's knowledge, only that can be explicit. And by doing this, what that means is, because we know more than we can say, they stripped down things that are very important to most people's self knowledge, particularly according to psychologists, ideas of meaning experience and awareness or rely on things that we don't articulate. These have to be repackaged when they are shaped back to us and knowledge. And I'll just deal with one final thing, which is the data controllers. If you look to the original directive, well, there's provision for independent agencies. The data controllers, the people managing the data when it looks, the other center of regulatory gravity, there's no doubt about that. The assumption of linkage and self regulation. But it was weekly regulated or weekly specified. And because I'm running out of time. I'll just go back to the GDPR and just say how the GDPR change things that the GDPR, as I'll say, put some much more explicit conditions, particularly on consent. There's a bit of stuff on the rights of the data subject. But what it adds that's particularly interesting, in my view, is where it will. It is on the responsibilities of the data controller formalizes these notions of self regulation, much stronger requirements for data protection officers impact assessment and data protection by design. And how does this change things. I'll just go through this and hopefully allow you five minutes for questions. The first thing that happens is the GDPR in relation to the data protection directive. I say it fetishizes consent. What do I mean by that. It requires consent to be much more express than it previously was individuals have to actively consent much more vigorous, much more obviously to their data being used. The consent is more ongoing now. It's possible to withdraw consent on any time. And it's more wide ranging. You can swap people who are managing your data. You can, you get more information about what your data is being used for so you can see if you're happy on it. What it fetishes is it's been known since the 60s, the so called privacy paradox that people don't manage aren't very active managers of their privacy. This idea that people actively consent and think about each time, even if they could, and there's strong evidence that they don't have the information to do that. The latest survey I saw was about 2.8% typically interested in experiments. So it overstates this and surprisingly enough, the commission has noticed that no data portability of much note has taken place in the two years of the since the regulation came in. So if consent is a problem at the beginning when you just have to take a box that you have to read the notices, you're not going to, it's going to be more of a problem for monitoring. So it's worth thinking what consent is being used for. And that should not say ex ante, that should say ex post, that's a typo. Increasingly if you look at what the new consent is being used to, it's increasingly used after you've initially allowed the person to process the data. And what one's agreeing to at that moment is checking what sort of persona is being developed as the idea that at a certain point if they develop things or develop things in a way you don't like, you can withdraw it or correct it or remove it or whatever. But my view is that what's happening here is that if you see them as developing personal development, isn't that people are going to object because they've got they see violations of the privacy or the information on being used in the right way. It's likely that the returns that what's being offered for the exploitation of the data isn't great enough that what might happen is the services aren't particularly good enough or whatever the gimmicks etc. So my own view of what's happening here isn't so much that it's about privacy but ensuring a market between processes of data where they increasingly offer returns and return more gimmicks more toys more more jungles in return for processing your data. Secondly, what's taking place in terms of the competitive geographies? How's this affecting people who are actually managing your data? There's strongly that there's two, there's three types of group. There's people who manage data and the information they do, they really want the data just to know something about you to sell you something. I mean that's still going to be quite extensive. And these are the groups that are really struggled with the GDPR because most of the burdens of the GDPR are front up burdens. And that's where you've seen all the debates about it being over costly. Now alongside that, you've got this formalization of self-regulatory duties for those engaging in significant processes on the Facebook of this world, data protection officers, design impact assessment, codes of assessment etc. And what I'd say about that is that it will be quite interesting to see how these develop. Increasingly there is resort to or suggestion to resort to use greater use of international and European standards. And it's been suggested that the standardization processes might be places where different stakeholders come together to, if you like, work out different conflicts. But as of anything these conflicts will be skewed. People are managing your privacy. Yes, they might want to do it in a way that's reputation and good for them. But they will still want to get returns. And they will still want to do it in a way that provides services to others. Now I'll leave this. I'll do this side and then I'll stop. The next thing that's quite interesting happening is what the GDPR does for EU's relations beyond the world. What happened with the data protection directive was there was a push to consolidate the market both internally and externally. So it didn't just affect transnational trade, it affects absolutely all processing whatever its scale in the EU. And free flows couldn't take place beyond the EU if the data protection wasn't adequate. So the Commission traditionally interpreted that broadly at least as good as EU law. Now the GDPR takes us a bit further. The Commission can now only grant adequate citizens so it can only allow free flow of people's data, not just if there's an independent agency that's following GDPR rules. But if the state generally respects rule of law of fundamental rights, so your data is not going to China anytime soon. Now, alongside that, however, the GDPR provides for transfer what it calls binding corporate rules. These have to be authorized by an EU data protection office. So these binding corporate rules were typically between groups of enterprises that can be certification by standards, which have to be binding and they have to meet EU standards. So it's a basic form of private regulation, which is signed off by a private agreement by an agency in the EU. And when already sees international standards being developed to try and meet this and there's a lot of debate about whether he's a GDPR compliant or not. Now, this, this is interesting, because this transplant effect has generated political economies of data protection in all the states that have responded to the GDPR and you find two, two responses. Some who emphasize ex-anti-consent, so Singapore I am is one, and others we focus on ex-post accountability, the responsibilities of data processors. And how these play out, how the data protection authorities will work out what the regimes it will about, will be interesting, it will not simply be about data protection, it will be over time about competitive advantage. Alongside this, I think it's likely that you might also have some data, data nationalism, data protection nationalism. And, sorry, let me just go back. And what I mean by this is there's a good chance that in deciding whether firms are data compliant, both under these binding corporate rules in the EU but outside the EU, you know, competitive advantage, questions of being more skeptical of data protection standards of firms or one's own firms, may in turn become an issue. And I'll stop there and happy to take questions and apologies for overrunning a bit. Thank you very much, Damien. Thank you very much, Professor Chalmers. We have a couple of minutes for questions.