 My name is Heather Gonley. I'm Senior Fellow and Director of the Europe Program here at CSIS, and welcome. We're delighted to be a partner of the European Union Delegation to co-sponsor an EU rendezvous event, and we have a rendezvous for you this afternoon, I assure you. We are delighted to welcome three colleagues to help us get a better sense of the European Union's data privacy rules and a digital economy, truly from a transatlantic perspective with us. And again, we are delighted to welcome François Leval, Director General for Justice in the European Commission, was appointed in this newly created DG Justice position on July 1st of 2010. And prior to that, François was the Deputy Director General for DG Enterprise and Industry. Had a great deal of involvement with the small and medium enterprise policy, innovation, and regulation. And we are, we'll get you some water. We welcome you, François, with us today. Her transatlantic partner with us is Julie Brill, Commissioner of the Federal Trade Commission, appointed July 6th, 2010. Prior to becoming Commissioner, Julie was the Senior Deputy Attorney General and Chief of Consumer Protection and Anti-Trust, that's a title, for the North Carolina Department of Justice, and she has held prestigious positions as a lecturer at the Columbia University School of Law. And providing the private sector opinion and approach we have with us Mary Snap, Vice President and Deputy General Counsel of Microsoft of the Products and Services Division in Microsoft's Law and Corporate Affairs Department. Mary has held many senior positions, Microsoft and various teams and we are a 23 year veteran. She knows this industry and very, very well and we're very appreciative for her opinion as well. Your cruise director for this conversation will be Dr. Jim Lewis. Yes, you didn't think cruise director was on that. Jim is our, directs our technology and public policy program and has also had an event this morning, so he is a double header today of CSIS. Jim and I collaborate on a transatlantic cyber security dialogue project, again a wonderful program sponsored by the EU delegation. And so we just were delighted that we can provide this opportunity to continue talking about important transatlantic issues and privacy and getting the digital economy invigorated in the transatlantic economy is one such thing. So with that, I'll spell as well have you begin and work down the table and Jim, take it away. Thank you all for being with us and we're delighted again to partner with the EU delegation, thank you. Well, thank you very much and I'm very happy to be here in Washington to talk about an issue which is of interest for everybody who has a telephone, a computer, buy things on the internet. I think what is very striking this afternoon and you have here three people who are trying to get the right answer to the same problem. What to do about privacy? Well, we are going to make sure that all these citizens who are using the internet and who of course will use the internet increasingly and are going to be protected. And when I'm talking about being protected and having rights and enforced rights, I'm not talking about putting barriers to stop technology. It's quite the opposite. And we believe that certainly when trying to get the answer to privacy, we have at the same time to make sure that although people are protected, we are also certain to help the development of technology and also to help this business development on which the economy is very much relying on for the future. So let me try to explain to you what this sort of answer we are trying to figure out in the EU. First of all, in the EU, we are not starting from scratch. We already have a legislation on privacy. It's a legislation which dates back 17 years and it was time to update it. To update it because of course technology has to change the landscape beyond recognition. But I'm saying this because what we are doing in this reform is not to change things beyond recognition. There are many principles, many ideas which are already in the legislation that in the existing legislation which are kept and which are developed. And the three points of this. First of all, what we are trying to do is to make sure that people are in control of their data. And this is crucially important because when you ask citizens in the EU, but also in the US what worries them about the internet, of course what happens of their data, they put on the net absolutely regularly. And we believe that there are a number of rights that have to be very clearly defined and enforced which will help citizens to be in control of their data. And all this is things like the access to the data. This is of course consent and I'm sure we will come back in the discussion on consent. Consent which means to be aware of what's going to happen to your data and agree to it in a way which is simple and which is not going to imply consenting all the time. But I mean consenting once and not creating any consent fatigue as we have been told repeatedly. But all these rights which are already existing but we have to reinforce and to make clear. This is the first thing we are trying to achieve. The second thing we are trying to achieve is to have a single market of privacy. And this is crucially important and this is crucially important for all these companies in the US or anywhere else which are operating in the EU. Currently you have 27 regime, which is one regime by member states because the legal instrument that we are using means that each member state is transposing this provision inside their own legislation. So what we are proposing to do is to simplify all this and to have one rule and also one data protection authority. Which means that as a company dealing in Europe you know that you will have one data protection authority to deal with which will be the data protection authority of the main establishments which is a place where a company will decide in Europe which have a representative in Europe where the data protection policy will be decided. So the second thing, the second message I want to convey is that what we are proposing it's a huge, huge simplification. And this is a simplification we have put a price tag on this. It will be more in excess of two billion a year for savings for these companies operating in Europe. And Europe as you know is 500 million people and a lot of, and of course a lot of transfer of data and also a very profitable market for this. So huge simplification. And the third thing, that message I want to convey because there's been a lot of questions about is this new reform? Is this regulation going to stop or make more difficult the transfer of data between United States since we are in Washington and the EU? And there, what we are trying to achieve in this provision on international transfer is there again simplification. Simplification for example, through buying corporate rules which were existing already but which were somehow rather complicated and we are simplifying it again by stopping the notification provisions that are existing now. So simplified buying corporate rules but it also means plenty of other ways to transfer data if you don't have, if you're not a big company or big undertaking, it can be done by a standard clause, it can be done also by codes of conducts and many ways and we have made sure that for this transfer of data, international transfer of data, there was both a big diversity of means to transferring data and a much simplified way of doing it. So again, the objective we have is to facilitate transfer of data being sure that the rights of citizen are they are asking both in the EU and in the US are fully respected. So this is in a nutshell and there are of course many more details I can provide on what we do and I'm sure we will do that during the discussion but this is in a nutshell what we are proposing. We are proposing this with a clear legal instrument and I'm sure we will come in the discussion with Julie on the various ways we are trying to achieve things as in Europe certainly with a strong legal basis, with a strong enforcement as well which is reinforced in this proposal with strong data protection authorities with a board of data protection authorities which will mean one single decision again by opposition as 27 interpretation we have currently. So a strong governance of the entire system, one law, one data protection authority and then a much more unified scenery or landscape for these companies operating in Europe. What strikes me in all this is we see including in the United States this changes which are taking place and again I'm coming back to my initial remarks. We are all trying to find a solution to the same problem and I was certainly interested in the development in the state of California for example in privacy where they are relating on the privacy. I'm certainly interested in the policies which are designed by big American companies and Mary will certainly say something on the policy of her own companies but I see others as well trying actually to reinforce their privacy policy and of course because there is this strong questioning of the consumers of the citizens for this and of course because there is no contradiction in between protecting the rights and developing the market and this is also a message I want to pass. We see a strong data protection policy as an asset for a future development because the consumer is asking for it. So this is what we are trying to achieve in this reform of privacy in Europe and we are now embarked into discussion following our own institutional process and I'm very hopeful that in the course of 2014 hopefully we will be able to finalize this strong policy proposal which will read for the rights and clarify things for companies operating in Europe. Thank you. Julie, why don't we go to you? Sure. Well thank you very much and thanks so much to the EU mission for inviting me and also to CSIS for inviting me and co-hosting this event. I thought it would be helpful for me to address the way in which we in the United States are trying to solve the precise question that Francoise indicated. We are all working to resolve which is how to protect consumers in this rapidly changing technological environment where so much is happening so quickly whether in the mobile space, online or elsewhere. So I'll talk a little bit about what we at the Federal Trade Commission are doing to try to protect consumers' privacy and then I thought I would close with a little bit of our work with our friends in the EU in terms of our experience with some of the things that they are looking at with respect to the proposed reg and our reaction, both the positive and the areas where we're in a continuing dialogue. I did just get back a few weeks ago from Brussels where I had the pleasure of meeting with Francoise and her team and spoke in a number of public fora and also met with a number of officials both within DG Justice, within DG Connect, within the European Council and elsewhere and it was a really, I think, great dialogue. So let me just start, for those of you who don't know or may not be as aware as others of you are, I know there are many of you here who are very well aware of what we at the Federal Trade Commission are doing. We have really become, in my view, the nation's premier privacy protection agency and this is on the consumer protection side. Not so much because we don't have jurisdiction with respect to the government's use of information. We focus on the ways in which companies are treating consumer information and so in particular, we look at inappropriate collection and use of personal information and we also look at failures to reasonably protect information from data breaches or other inappropriate use. We have a multifaceted approach. Our agency was designed, almost 100 years ago, to take a multifaceted approach so we engage in policy development, we write reports, we do studies, but probably first and foremost, we are a law enforcement agency and we engage in very vigorous law enforcement. But one thing that we issued a little bit over a year ago now, it was in March of 2012, we finalized our big privacy report which was designed to present to industry a series of best practices in terms of how industry should be dealing with consumers' data and information. It also was designed to serve as guidance to policy makers, whether in Congress or in the States or elsewhere, in terms of how they may wanna be thinking about addressing privacy issues going forward. So we set forth three principles, some of which we see in the proposed reg, we set forth the principle, we didn't create this principle, we adopted and set it forth. I just wanna be clear. The principle of privacy by design, simplified choice and greater transparency. And we talk in great detail about how industry can provide these three elements in their data collection and use practices. I think that the report was really groundbreaking in terms of a governmental agency setting forth these guidances and so I commend it to all of you. We have been working since then, since March of 2012 to help industry operationalize these recommendations. One of the ways we help industry operationalize our recommendations is by doing studies and I'll talk about some of them, but probably the biggest way and the way that gets the most attention certainly is through our law enforcement activity and we are very vigorous in that area. So as of right now, we have really all of the largest players within the internet ecosystem under order, consent orders with our agency. So right now Facebook, Google, MySpace and Twitter are all under consent orders with us for various issues which we can get into in the Q and A if anyone's really interested in the details. These orders collectively cover a billion people worldwide. They require comprehensive, leaving aside the Twitter case, which was data security, but Facebook, Google and MySpace require the companies to develop comprehensive privacy programs that are audited every other year and most importantly perhaps for this audience and I know for Francoise and for others of course, is that they require compliance with the US, EU safe harbor and the failure to comply will lead to the potential of penalties. We've even already had the opportunity to enforce one of these orders with respect to Google where we entered into a $22.5 million civil penalty for what Google was doing with respect to tracking cookies for placing targeted ads to Safari users. But these are the big cases. These are the cases that get a lot of attention because of the names involved, but we do many, many other enforcement actions, take many other enforcement actions involving the entire range of entities in the ecosystem. Internet as well as mobile. So we have enforcement orders out with respect to ad networks, mobile apps, data analytics companies, data brokers, credit reporting agencies, a very important area near and dear to my heart as our data brokers. Social media as I mentioned and software developers and we address a wide range of activities, online tracking, data security, fair credit reporting, compliance, spam, do not call, robo calling, and COPPA children's online privacy is another area that's very important to us. What I thought I'd do mention very quickly are the four areas that we will likely be focusing on going forward for the next year or two. And we certainly indicated that this was the case when we did our big privacy report. The four areas that we're gonna be looking at in great detail are mobile, everything mobile, children's privacy, do not track, and data brokers. I don't wanna take too much time but I thought I would just try to highlight very quickly what we'll be doing there because I wanna turn of course to the proposed reg. In the mobile space, we have a mobile lab, we have a chief technologist, we are looking deeply into the technology involved with mobile and in particular with respect to the responsibilities and activities of all the different players in the mobile community, the mobile ecosystem, because it is a more diffuse ecosystem, especially when you start talking about the apps than is any other community that we're looking at. We have done several reports, including how it is that these players can provide privacy disclosures to consumers when you're dealing with a limited amount of real estate and you're dealing with so many different players, one of the big questions, going back again to the challenging question Francoise posed, how do you do this in this rapidly changing environment? We did a report making recommendations of how the mobile community can give much more effective notices about privacy issues to consumers. We also did two reports on kids mobile apps where we found that that particular ecosystem is not really yet focused on the type of disclosures that they need to give in order for parents to be able to exercise the control that Congress has suggested is required, and that is that parents be able to provide consent before information is collected about kids under 13 when the company, the online company knows they're dealing with a kid or they have an app or a program that's targeted to kids. So we've done all those reports. We've also done a general.com disclosure report, also very important. I suggest you take a look at it. We've done lots of enforcement in the mobile area. Happy to go into that, particularly with apps, but not just with apps. We did one case that received a great amount of attention involving HTC for Carrier IQ which was basically a software data security case. The first one arguably that we did that wasn't focused on enterprise security but on software security. So I suggest you take a look at that. Lots of activity in the COPPA space, Children's Online Privacy Protection Act. We recently finalized our updates to the COPPA rule. I'm sure there'll be some questions about that, but I think we struck a very good balance in terms of dealing with the way the ecosystem has evolved and yet also trying to work with industry to make sure that it would be a rule that they could work with. Of course, we were just implementing congressional mandate, a congressional mandate to ensure that parents do have control over the information that's collected about their kids. Do not track. We called for industry to develop a do not track mechanism which is to give consumers some control over the collection or some of the collection and use of their information online. There has been a lot of activity since we made that call over a year ago. Tremendous amount of activity on the part of the browsers and I'm sure Mary will be addressing that. Tremendous amount of activity in terms of the ad networks and the DAA program. And there's a lot of activity right now within W3C, the World Wide Web Consortium, to try to develop a standard around that. Happy to talk more about that. Data brokers, I just want to mention really quickly. I think data brokers, my personal view is data brokers will be the privacy issue for the next three, five years. Data brokers, unlike many of the entities that are operating online first party entities or even the ad networks now, data brokers are largely invisible to consumers. They collect information both online and offline. Consumers have no idea who they are. Many of them do offer consumers some choices to opt out or to engage in correction rights but consumers have no way of finding those entities. So I have made a personal call. Our agency has called for much greater transparency around data broker activity. I have been working with the data broker industry. I think they get it. They realize they need to have much more transparency around who they are and what their activities are and what choices they give to consumers. They're struggling with how to provide that. And I have told them I would really like to see a one stop, a single web portal where consumers can go to get information about all the data brokers that are out there or at least a bulk of them and can exercise choices. I'm still in a dialogue with the industry about how best to do that. Okay, let's, should I turn briefly to the reg? Okay, finally, well we do so much. I don't wanna leave anything out but we really do a lot around privacy enforcement. And as you can tell, I think it's fabulous work. So, but with respect to the reg, we've obviously followed the proposed reg very closely. There are many of the same goals that Francoise described and that her colleagues in Europe that they're trying to address that we are trying to address here in the United States. Privacy by design, greater transparency, providing consumer control, appropriate consumer access to data the company store about them, data accuracy, data security, parental control over information companies collect about kids and accountability. These are all principles that I see and that we as an agency see in, within the proposed reg. We think that there are gonna be many provisions that will specifically help consumers. For instance, particularly some of the provisions around children. We see that as being something that is picking up on work that we've done. And I've been talking to Francoise, her team and others about our experience with respect to the Children's Online Privacy Protection Act. Data breach notification, another concept that is built into the proposed reg. I have a lot of experience at the state level dealing with the data breach notification laws because here in the United States it's pretty much done entirely at the state level. There's exceptions around HIPAA and other things but pretty much generally speaking it's at the state level. And we've talked, I've spoken with Francoise and her colleagues about some of the good things that I see in that provision and some of the things that they may wanna think about what the consequences would be if each and every time there is a breach the EU DPAs all of them receive notice and what they would be doing about that. So there's a lot of great stuff in the reg. One of the things that we are particularly concerned about at the Federal Trade Commission is the extent to which we are going to be able to engage in cooperative enforcement with Europe, with our colleagues in Europe going forward. We already do a tremendous amount of international cooperation around privacy enforcement through the Global Privacy Enforcement Network which is otherwise known as G-PEN and also on a bilateral basis country by country. We wanna make sure that there won't be barriers set up to our being able to protect Europeans through the EU-US safe harbor or that we won't have barriers that will prevent us from protecting US citizens to the extent that there are European companies that are engaged in activities purposefully here in the United States that affect US consumers. So we wanna make sure that we will have that ability to engage in that kind of international cooperation which we've been doing so much of and want to continue to do. So I think with that, I'm sure we'll get into the discussion as we go forward but that's a pretty good overview of what we do in our perspective on the reg. Thank you. Okay, it looks like I'm here. Thanks so much for the invitation and the good news is it's the themes that both Commissioner Brill and Madame Labai have talked about are ones that very much resonate with some of the work that Microsoft is doing as well as it thinks about its role as both an enterprise and a consumer provider of both devices and services. I thought I would start maybe just to lighten things up to tell you a little bit of a story which might tell you why privacy is so important and sort of illustrates some of the themes on a real basis that all of us are talking about. As you know, I'm from the Pacific Northwest area which is an area where everyone is very interested in being in shape and athletic and exercising and we're home as well, very close home to Nike Corporation and all of the rage in the Seattle area and particularly on the Microsoft campus now are these bracelets, these wearable bracelets and you sign in with Nike and you provide your age, which was a little horrifying, your weight and your height and it measures the number and how much exercise you want to get in a day and it measures how much steps you're taking and translates that into fuel. So I bought this bracelet, I put it on, I put all the information in. I thought, you know, it's not too much that they would know about me. At the end of the day right before dinner I realized that my bracelet said that I had not gotten nearly enough exercise for the day to meet my goal. So I thought right before dinner I just started exercising in my kitchen. I started doing jumping jacks, calisthenics only to realize my husband was videotaping it and suddenly I thought, you know, this is an unexpected use of data that's being collected by me that I had not anticipated and it's exactly these sorts of non-contextual sorts of uses that we in the privacy world want to guard against. But I was the user in control, you see, so I immediately confiscated the cell phone and so it will not be seen ever again but the themes here of transparency of what data is collected for what purpose and ensuring that the user remains in control of the data is very important. It's important in the EU, it's important in the United States and it's important for corporations who are responsible citizens in the data area as well. We have thought about privacy for a long time at Microsoft and I've been engaged in some work on privacy since we launched MSN 17 or 18 years ago and the work has become as everyone knows so much more complex and sophisticated since that point in time. I think it's fair to say that we know that consumers care about their privacy and they rate caring about their privacy as important as they rate things like medical issues or financial issues or relationship issues. But what we have never really known is whether consumers who care about their privacy actually can turn that caring into behavior. In other words, on the internet are they modifying their behavior as a result of interest and caring about privacy? So when we think about this, the themes that the others talked about, transparency, trust, control are all very, very important ways in which consumers can modify and can manage their privacy online. And as we think about the new uses, whether it's mobile or whether it's cloud-based uses or some of the big data and the mining and analytics, these are all different ways in which we can think about those three pillars and the importance of managing consumer and private behavior. So we have done polls and others have done. We know consumers care about privacy. We recently commissioned our own poll and we learned that in that poll, we sampled users in the United States, in the UK and in France and we learned that about 85% of the people that we polled say they are concerned about privacy but less than half of them actually do anything online actively to moderate their behavior. We think that we can compete on privacy. We think that we can get users to try our products and try our services because we offer a better experience for consumers in this area. So we're actually testing that. We launched campaigns a couple of months ago in Washington DC and in Kansas City. We launched them in Europe a few weeks ago and we are inviting users to go online at Microsoft.com. It's called your privacy type and to take an online quiz. The quiz measures how comfortable you are using various technology online and how comfortable you are sharing information and it asks questions like where do you use the internet everywhere from your office to your commute on the way home. It asks very high level questions about social networking and how you use social networking and how much information you share. It then identifies you by a certain persona everywhere from a privacy please to all the way to the casual surfer and you might imagine and I would guess that all of us at the table are gonna be privacy please kind of people but then it says does that match with how you think you use information online and if not we invite you to take a look at some of the services we offer with internet explorer and with Bing and other of our products and services to learn more about how you can manage privacy online. We'll go back in, we'll do polling, hopefully we will learn that these things do make a difference and that people will change their behavior in responsible ways in order to manage privacy online. Now having said that we're doing this because we would wanna innovate in this area and Commissioner Brill has mentioned some of the work that we have done in the do not track area with our internet explorer 10 and our windows eight product and we're in the process of learning how that is playing out both with the industry and with regulators and with the ad industry as well as other website providers. We think it's really important to think about notice and consent in this new world because the ways in which people use services online are quite different than they were 10 or 12 years ago where you could ask for consent in a long privacy statement that virtually no one read. On the other hand, you don't wanna be asking for consent 50 times as you're out traversing where it is you want to go to dinner that night and wanna use geolocation kinds of services. We think that there's a difference between being secret and being private and that in the old days we talked about secrecy on the internet and having no one know what you're doing and today really knowing that people want to share different kinds of information with people that they trust and being able to moderate those differences and make modular decisions about people with whom you want to share information is important. We do know that it's important to personalize our services if we're going to continue to compete in the world of the internet we need to provide services that people find valuable. If people find services valuable and tailored to them it does mean we will be collecting some information so it goes back to understanding how the information is used and providing the contextual consent for that information. I think increasingly we're gonna be starting to talk about when you expect to be anonymous and not just anonymous online but anonymous walking down the street. Whether it's cars or glasses or bracelets or other kinds of wearable devices we're talking about sort of anonymity from each other in a way that I think will be really fleshed out over the next couple of years. But as we really develop at Microsoft a company theme that is built around devices and services and notice I didn't say software it's devices and services it's gonna be really important to integrate these kinds of services which deliver these high value kinds of propositions to our consumers. The only way consumers will take advantage of that is if they trust that we will manage the data in an appropriate way. We welcome the leadership of both the EU and the FTC. We were one of the early adopters of the safe harbor principles now over a decade old and still very much in force and very important for us to think about how we manage privacy. We welcome the dialogue on the data protection directive. I know that Commissioner Brill and I would have a lot to talk about when it comes to COPPA and do not track and the Privacy Bill of Rights and other kinds of things. It is very important for us to have regulatory leadership and it is also important that we also have consistent rules that we can rely on that cross the Atlantic Ocean and one of the key parts of that really relates to being able to manage the data flow back and forth trans-border. That is important on the consumer side but it is also very, very important on the enterprise side of the house as large multinational corporations host data for others and ensure security and reliability and uptime for the services that we provide in those enterprise and hosted environments. So broadly as we think about it, the privacy is something again, we would love to differentiate on. We think we are differentiating on but it does come down to balance and it's a balance between regulation and innovation. We'd love to see companies compete in this area. We think that self-regulatory work is important and it's important to hear from consumers as well because without their buy-in, we won't be selling the kinds of products and services that we think will take us into the next generation. So thanks very much. We look forward to the dialogue. Well, let me thank all three of our panelists. I think this was an illuminating conversation but there are some points you can raise. I generally think at a more strategic level and maybe we'll come, I have many questions but I know the audience does too. Everyone welcomes any move towards harmonization. So moving from, I thought you were 28. Does that happen yet? My 27 to one set of rules will be an improvement. And in listening to both Francois and Julie, there were many areas of compatibility but when I was thinking about this before, I thought there's kind of a continuum here and at the one end you have harmonization and at the other end you have unilateral or extraterritorial and so one of the issues will be drawing the line here between harmonization not only within the EU, not only transatlantically but globally and where we'll take unilateral action. Of course it's funny for an American to be lecturing about unilateralism and extraterritoriality but we'll put that aside for the moment. I'm very sympathetic to what the commission is trying to achieve but there are three things we might wanna think about. The first is changing attitudes towards privacy and Mary touched on this. The survey data does not reflect behavior, right? And I'm surprised that you got as many people saying they were concerned as they are and if you use a social network, perhaps you don't know but you've given up your privacy, right? And so you can all do this test at home. Type your name into Google or to be more precise type your name and your phone number, your name and one other piece of data and see what you've got. So we have this dilemma where I have people telling me I care a lot about privacy but oh by the way when I act online I don't pay any attention to it. How do we deal with that? And this might be more of a long-term problem. Attitudes towards privacy are changing. The second one I alluded to 20 years ago it was much more fun to be in this business because if the US and Europe agreed on something particularly if we had the Japanese on that became a global norm. That's no longer the case. So when we think about how do you establish global rules? You have to engage in some way. Countries like Brazil, India, perhaps even China. There's others too. This is a global world, not a transatlantic world and we need to think about that. Finally and the concern I think we'll hear about for many people is what is the effect of the regulation? Pardon me, what is the effect of the commission's thinking on new business models? And I'm a little ambivalent towards this myself. I mean I talked to one of the big software producers for data mining recently and you know you can buy a lot of this data. You all know that, right? So you can buy like Twitter feeds. And people, this is back to the privacy issue. People tweet about the most ridiculous things like arm covered with red splotches, right? Well who the heck tweets about that? It turns out lots of people do and you can predict disease outbreaks, months in advance, car buying patterns, house buying patterns, unemployment. The ability to use the statistical packages we're all familiar with to mine this data provides both opportunities but it clearly provides risks too. So how will we affect that? Finally we know from the last time that the US and the EU engaged on privacy the result of which was safe harbor, right? This will be a process of negotiation, right? So one of the things I hope we can do here today with your participation and help is identify the issues that must come up in any process of negotiation as we think about applying this first transatlantically and then perhaps globally. I don't know how you wanna start. As I say I have loads of questions ranging from softballs to mean but perhaps I'll start by saying does anyone in the audience have a question? We will give you plenty of opportunities, we have lots of time. Go ahead please and could you identify yourself when you ask your question? Brian Biri, I'm the Washington correspondent for EuroPolitics in EU affairs newspaper. I think my question is more from Ms. Lobay. The US has a law that's causing quite a fuss at the moment in Europe, the Foreign Account Tax Compliance Act, VATCA, the Foreign Account Tax Compliance Act and it's forcing European banks to hand over all their customers' personal data, financial records to the US Treasury in order that the US Treasury for tax evasion purposes. The European Commission has not really said anything about the data privacy implications of that and I know the European Parliament has started to pay attention to it but you have a legislature in one country telling companies in another country to hand over very sensitive personal data and the Commission supposedly being the guardian of the European Data Privacy Framework, why has the Commission not said anything on this yet? I gave every one of the speakers a get out of jail free card, so let us think about that. I think what you might say just as a foot and we'll have to think about it and I don't know if any of the other panelists but there is a greater degree perhaps of cooperation when it comes to money laundering and to tax evasion among the finance ministries. That would be my initial thought in why you're not seeing as much reaction is that the, I know tax evasion is not only a concern in the US but let us take that one and we will get back to it. Mike. Mike Nelson with Bloomberg Government. When I first started doing these issues 20 years ago it almost seemed like there were two alternative realities. There were the European Privacy Commissioners who were all talking to themselves and often at the same time somewhere else that the Justice Ministers were all talking to themselves and often they were working together to share information in a classified environment and causing all sorts of anxiety both in this side of the Atlantic and overseas. Lots of talk about echelon and wireless, warrantless wiretaps and it really does seem that it's hard to have this conversation when everybody knows there's a lot of information being shared in the intelligence community and another realm, people just assume they have less privacy than they have and they assume that governments are snooping, they're getting swift records, they're getting bank records. How do we resolve this? How do we really know what's going on and how do we give consumers any sense that they have any privacy with regard to where their commercial information is going? Well, I think the question you're asking is exactly what we are trying ourselves to clarify and give the elements, the tools for consumers, what we call citizens ourselves because for us it's a fundamental right, not only consumer right, precisely to understand what is going to happen to their own data and this is why first of all we have these rights, first of all, being able to know what a company has on you, I mean, which is not necessarily possible now and having done in a very simple way and free of charge, having the right for example to rectify the data which exists on you, having the right to have them removed. If, of course, with a certain number of conditions and having the right to be aware when you are getting on the internet to know what you are consenting on. And it's true that- The government snooping. Sorry? That does not address the question of government taking my bank records and sharing intelligence agencies all around the world. So I might know what they're collecting and I might know what's shared, but I have no transparency. Well, I mean, first of all, of course, when you are in the police and justice cooperation, the rules are different because the objectives are different, but it's not that the government can mind into you data transfer it to whoever, to whoever without rules. So they are clear rules. They are rules that we are ourselves trying to address with both instruments for the commercial data in the regulation, very straightforward and directly applicable. And for the police and justice cooperation element through a directive where, of course, the principles are the same. And this is very important to convey in both instruments, the principles of data privacy are the same. And then, of course, it operates in a different way with more flexibility for the police and justice cooperation for obvious reasons. But what is important is that in both cases and of course with different conditions, you are entitled to know whatever has on you. And, of course, in the police and justice cooperation without putting at stake the anti-terrorist actions and all this, the public security, the national security and all this which remain a category of their own. But the entire attempt of building on the existing laws of the already existing laws is to clarify all this and the citizen will be able to know in most of the cases what a company, certainly what a company has on him and, again, have a number of rights attached to it. How do we respond when a lot of people don't know what the protection is? No, I understand the question and it's just not in my wheelhouse. I mean, we really focus on consumer data and information as it is dealt with in commerce. I mean, that's just our jurisdictional limit. So I'm sorry I can't be more informative in terms of response. Well, let me try a different one. So a few months ago, I was in Asia as an ASEAN meeting and I was talking to telecommunications vice minister from one of these countries and he said the following. He said, why does US law apply on my national networks? Your law with the First Amendment allows online gambling and pornography and my law forbids that. Why does your law take precedence over mine? And what I said to him is, of course, on your national networks, your national law should have precedence, right? Where you should not have precedence is in the extraterritorial application of your national law. I'm not sure you like that. But the issue I think that underlies this and it's a hard issue is where is jurisdiction? What determines jurisdiction? It's no longer clearly physical, right? At one point we could say you are in this country and I have jurisdiction over you, right? But now we're saying no, there are other cases where you're physically not present. Sound like a credit card, don't I? And yet I claim jurisdiction. So how do we decide how to establish the boundaries of jurisdiction in the new environment we have or the new digital environment? I don't know who wants to. Well, in the regulation we address this question and we are saying that companies which are not based in Europe but which are offering goods and services to Europeans will be under the regulation. And the reason is that what we want to do is to protect the data of European citizens and for the reasons you have explained, these data are not going to stay necessarily in Europe and they need to make sure that we need to make sure that this data when transferred by these companies are going to continue being protected. So we apply this logic in the regulation. We certainly understand at the Federal Trade Commission the desire to ensure that we can address conduct that affects U.S. citizens. And because as you've pointed out and we've been talking about that so much conduct is extraterritorial, we have to make sure that we have the ability to appropriately deal with extraterritorial activity. In the United States, we have two principles that form the boundaries around which the Federal Trade Commission can operate. One is under our U.S. SafeWeb Act which is a specific congressional limitation on the U.S.'s work with respect to companies abroad or activity abroad. And what it says is that we will have jurisdiction where farm practice and its effect on U.S. citizens is foreseeable, whether when it has foreseeable injury that could impact U.S. consumers. So that's one concept that provides a boundary around our jurisdiction. Another concept, which is a broader concept that applies generally with respect to the jurisdictional reach of the U.S. courts is a concept of purposeful availment. Is the entity or company abroad purposefully availing itself of the benefits and rights and et cetera within the United States? And if there is a purposeful availment then the U.S. courts generally speaking have a reach. Now one of the things that I chatted with my various counterparts when I was in Europe was discussing these concepts of foreseeable injury, purposeful availment, because I know that with respect to what I'm hearing from businesses is wanting to be sure that they understand the rules that will ultimately be adopted in Europe and that the rules are appropriately bounded and they want to know what it means. And so this is something that's obviously going to be discussed a great deal as the proposed regulation moves forward. But I wanted to express our experience in terms of these concepts, with respect to Francoise, to her colleagues, et cetera. Because they provide guidance to business. They provide guidance to players to help understand when they will be potentially swept up in a matter because they fall within one of these two categories. And sorry, no, that's all right. I just would add on at a higher level from a corporate perspective, on the enterprise side of course we provide services such as our Microsoft Azure product and Office 365 in which we encourage our customers to allow us to host their data. And as we provide support for that data, the data does flow sometimes outside the borders of the country where the server is. And that's important for us in order to ensure that it is readily available and for us to be able to provide maintenance and support broadly. So setting aside the jurisdictional question, the ability to understand how we comply with regulations in each of those jurisdictions is also very important. So it comes back to where we started, which was harmonization kinds of issues. Can I say a word of this? Because I think this is the beauty of having a regulation and of having a clear legislative instruments where all companies can base themselves on. And what is important for any companies around the world is legal certainty and it is predictability. And this is what in Europe we are basing ourselves on. It's really to have, to offer companies a clear solid legal framework. And this is my position and again, we've very much value all the work which is done in the US and in particular FTC. But there is a strong difference in between having a clear legal framework. And we have seen, for example, President Obama proposing a bill of rights sometimes ago. And there is clearly there this feeling that something of this kind is needed. And but there is this difference of the way we operate us on our side with an extremely legal framework where the companies know where they stand and where we can also explain what exactly it means for them. And of course an American system where there is guidance and Julie was saying there are plenty of reports. There are of course plenty of reflection about it. But it is very often based on voluntary commitment by companies which doesn't necessarily bring the transparency for the consumers and the stable framework for companies. I'm sorry, just we, one of the issues is definitely a deception-based jurisdiction that we have which is based on voluntary commitments but we've also been moving a great deal in terms of focusing on just unfair practices. So we do both, but it is a common law approach. It's not, it's a different, it's case by case. It's developing practices and looking at specific practices, looking at specific matters and determining whether or not those are either unfair or deceptive based on a body of case law that is extremely old and well-developed. So it is definitely a different framework. And the question is how within our framework can we look at the same types of issues that are affecting Europeans? Absolutely. Joe, I think you had a question. Could you, for the few people in the room who don't know who you are, could you? Thank you, Joseph Alladette with Oracle. And I wanted to highlight the fact that if you look at privacy both in the EU and the US, there are antecedent instruments, the fair information practice principles on the US side, Council of Europe Treaty 108, the OECD guidelines, which embody the principles that both sides of the Atlantic share when it comes to privacy. And as Julie pointed out, they've taken different paths in implementing them. But the objectives of what they're trying to reach, I think, are fairly much the same. That being said, I think it would probably be not the case that we're gonna see a harmonization across the Atlantic of exactly what the rules look like. But I think with an APEC, we have a perfect example of not letting the perfect get in the way of the good. And the good is a mapping between cross-border privacy rules in APEC and BCRs in the EU. So the concept is what are practical methods of interoperability that can help enable data flows while not creating unreasonable mutual recognition but not requiring you to reinvent the wheel of something you've already done. Because it recognizes those elements you've met and then identifies those elements you still need to meet. And so this practical approach is very promising. And we see that that could be something that could come out of the work being done on codes of conduct in the multi-stakeholder process in the US. The draft regulation talks about codes of conduct. We have the concept of ways in which legitimate interest and adequate safeguards could be used in a manner in the draft regulation to also help create these methodologies where you assure the level of protection but you do it in a way that is more flexible and adaptable. And I think that is also something that is beneficial and would like to support the continuing work of both the EU and the US in that space because I think it helps make sure that we address those concepts. And it also is very inclusive of other economies besides just the transatlantic ones. That was really helpful but where shall I put the question mark? Well I think it was talk amongst yourselves. That was the topic. Let me ask an easy one then which I think all three, no it will be easy I promise. All three of you can address but how will the data protection reform change safe harbor? What will safe harbor look like after this? So I think all three of you can talk. It will it be the same? Will it be different? Tell us. Well first of all I want to be clear on this because we have had many questions on this and the future of safe harbor. And we have been very clear on this. We have said safe harbor exists. We are improving it every year. We started with very few US companies in safe harbor. We have now 4,000 companies which are part of the safe harbor. And the safe harbor are here to stay. We have been very clear on this. I think we need to continue improving it over the years but I mean this is a strong basis for further development. We've spoken with Francoise. We've spoken with Vice President Redding and we're very pleased to hear a continuing commitment to the safe harbor throughout our discussions. Since we are one of the entities that enforces it and we're vigorously doing so. I think it actually works quite well and is part of the interoperability that Joe was referring to. I wish we were going to re-terminization. I think I'm more of a pragmatist along Joe's lines and I do believe that enforceable codes of conduct was another concept that we spent some time talking to our European friends about because we have a fair amount of experience with enforceable codes of conduct and it was a concept that folks in Europe are very interested in and want to learn more about how one actually enforces a voluntary commitment. So we did spend quite a bit of time talking about that as well. And I would say again from the corporate perspective whether it is the safe harbor or whether it's model clauses in Europe or binding corporate rules what we've really appreciated about the work between the EU and the United States is that it is the principle that is quite important and then obviously enforcement is key too but that the principles enable the companies to continue to innovate to potentially do more than what would be required by a safe harbor and that that is an important point for us to be able to continue to be able to work even on top of what might be viewed as the safe harbor in the area because it's important for us in terms of how we think about our own business. Just a short one, Jim Berger from Washington Trade Daily. On this proposed regulations that the FTC is putting out my question is how much input did the EU or the council or the governments or EU companies have in developing that regulation? Well, the rules are, I would say, simple, we may not share this appreciation but the way we operate that the commission makes a proposal, it's a proposal as well where we have worked on it for two years and we have really had more consultation on this proposal than I think on any other subject. So there was in the designing of the proposal a huge amount of consultation and then the commission adopts the regulation and then it is discussed in the council which means which member states and then with the parliament and it's the end results. I mean, it is after all this that the regulation is finally adopted. And I think there is a very interesting debate which is taking place right now under the Irish presidency and a very interesting debate also in the parliament which, and at the end of the day we are going to have a text where a lot of people would have had the opportunity to give their opinion but this text which is adopted by majority and that's the way the system operates works. Oh, I'm sorry, are you talking about like, for instance, or are you referring to COPPA or are you referring, for instance, as an example or are you referring to, for instance, the president's proposal for a privacy bill of rights, I mean. Okay, so we have, sure, sure, sure. I'm sorry. Excuse me, no, that's mine. That's probably my child asking for money or something, just one second, I'm sorry. I'm sorry, so you wanna know how companies have or how Europeans have input into our, okay. And would they have more under a trade agreement? Under a trade agreement? I don't, I'm not gonna comment on a trade agreement but I can certainly tell you that we, when we propose rules, we follow, typically speaking, a law that requires anyone who wants to have input and many of the rules that we have done and actually I should say we do the same thing whether it's required or not with respect to reports that we write, with respect to all sorts of activity that we're involved in. We seek a wide range of comments from all sorts of stakeholders and we have received, I may get some of the details wrong in terms of when the Europeans have provided comment but we have received comments from, for instance, the DPAs, the data protection authorities, the article 29 working party with respect to various efforts that we've been involved in. And by the way, I mean, I've, for instance, met with the article 29 working party. I meet with the DPAs a great deal through the International Conference of Data Protection and Privacy Commissioners. I am very involved with that group so we have a lot of dialogue with them but they also have commented formally in terms of both regulatory work we're involved in as well as policy work and we take, what they say, seriously, just like we take all stakeholders' comments very seriously. Does that respond to your question? Yeah. Okay. Can I also add, since you asked for the input we had, we were very interested to have a formal letter from 25 US Consumer Associations supporting the reform and telling us to go ahead. It was a very interesting. No comment on that one. We had a question. Yes, hello. My name is Adam Beesudi, I'm with Inside US Trade. And I know you said you wouldn't comment about a trade agreement, but as the two sides move towards negotiating a trade agreement, one of the main issues is the free flow of data across borders and businesses in all sectors really want binding rules allowing the flow of data, which you naturally run into issues of privacy when you look at that issue. I mean, to what extent, maybe in your current dialogue, are you addressing that issue? And to what extent can the two sides address that issue in a trade agreement? And ultimately, is there any chance that this could result in some sort of equivalence, some sort of finding of the systems being equivalent as a result of these negotiations? We really, despite the fact that trade is in our name, this is really not what we do. There are lots of people in the US government who are very deeply involved in that precise issue. And it's very much under development and under discussion, but we at the Federal Trade Commission are not involved in that. First of all, just a quick clarification on the law I mentioned. It has nothing to do with catching terrorists or organized criminals. It's purely to raise tax revenue for the internal revenue service. So in terms of national security carve-outs, that doesn't apply. But my question was actually for Julie Brill. Privacy by design, could you, and if any of the panelists want to jump in, could you just talk a little bit about how much consensus there is for that? Because I was at another panel about a year ago on this and I think the White House lead person on this, it got very tense because of Mr. White's, yeah, because when he pushed on it, he said the White House does not support privacy by design. And that's why I'd like to know, how much consensus is there in the US on this? Danny's a good friend of mine, so I was in there. I don't know what he, that I won't comment on where Danny was, but he of course is no longer at the White House, but I'm sure he was there when he was speaking. Privacy by design, I believe is a concept that is gaining growing consensus and growing acceptance. I cannot comment in terms of whether it is universally been adopted by all segments of the ecosystem. But just to make sure we're on the same page, because again, maybe the previous conversation you had was about a particular element of privacy by design. Privacy by design is a concept that says that rather than thinking about privacy after you get a subpoena or a call from a regulator, instead to encourage companies to be thinking about privacy as they're building their products and services, to have it deeply embedded within the framework within which companies are operating. And there's a lot of discussion about how this is moving forward, at least in the United States. If you look at an organization like the International Association of Privacy Professionals, the IAPP, that organization has grown by leaps and bounds over the past three or so years, where now I believe it has on the order of over 10,000 members, thank you. I was gonna say over 12, and I wanted to make sure I was not overestimating. 74 countries. I'm sure Richard's right. I've no doubt about that whatsoever. So, and this is just a tidbit of an example of the way in which people are really thinking about privacy, that you have CPOs, chief privacy officers being brought into the C-suites of corporations, because I think everyone is recognizing the importance of trying to address these issues. And again, privacy by design plays a role in that because it is the notion that you're gonna be thinking about this from the beginning. And just quickly, and I'm sure Mary has something to say about this as well, but I talk to a lot of different stakeholders. That's how I view my job. I need to understand how things are working in terms of what we touch and what we do. Many of the older, more established companies have said to me, whether it's in the data broker world or in the online world, that they wish they had thought about privacy by design five or six years ago when they were developing their systems. The notion of trying to retrofit systems to deal with privacy is a much, much harder lift than it is to deal with some of these issues from the beginning. And that's what we're trying to encourage in terms of best practices and operationalizing privacy is this notion of if you think about it from the beginning, it's actually easier and it becomes more cost effective and easier to do. So, but like I said, Mary, I'm sure. No, we talk about privacy by design at our company as well and it is a concept that is quite alive where we are. I have a group of lawyers who focus very specifically on privacy issues, but I also have a group of 75 or 80 lawyers who are embedded within all of the business groups at Microsoft and I think every one of those lawyers would say that he or she knows a fair bit about privacy. They are advising day by day by day as a feature is being developed on a new service or a new product. They are looking at screenshots. They are looking at startup menus. They are very much focused on this issue as part of a design element of the product. Now, Commissioner Brilla is really quite right that going back and retrofitting something is quite, quite difficult and so old systems are really hard to go back and sort things out, but as we go forward and as we're developing new products and services, you know, I would tell lawyers originally you need to know a little something about copyright law and now all the lawyers need to know more than a little bit about privacy law. Just a word on this to say that we very much support privacy by design. You will find it into the regulation. We think it's very important and we also, in the intense consultation we had in designing this regulation, many companies told us that they were including privacy very early in the design of their own programs or services and all this, and this makes sense. It's much more complicated, more costly to integrate privacy at a late stage of the development or program or service. I had a question. I'm Tyson Barker from the Werdholzmann Foundation. I had a question from Mrs. Brail. You mentioned at the beginning that one of the ideas behind data protection, the idea is one of the principles is control of your data. I was wondering with regard to the NIS directive, the directive coming out of the European cybersecurity strategy. If there's any discussion, we have this idea that there are compulsory disclosure requirements for companies in the event of breaches. If there are breaches that deal with consumer data, are you guys talking to governments? Is there any element there that deals with disclosure requirements to those consumers as well? Not just to governments that the private sector has to give governments the information, but either the private sector or government has to notify consumers. Perhaps a gray area, there are breaches that could affect intellectual property or critical infrastructure that have an implication for both governments and for the company. There are other breaches that would include personal information that would affect the consumer. And so the question is, do you treat them the same way? Do you make some sort of dividing line? So that's really the issue. There's one set of concerns that are security and public safety concerns and another set of concerns that are privacy concerns, but there may be some overlap. And so is that a fair, better stated? Well, so we have not, the question was to you by the way. I know, I'm sorry, I know, but I don't know the answer. I'm happy. It was to me? I'm sorry, I try hard. I'm happy to answer it in the U.S. perspective, but please. Nice try, though. Well, you will find in both instruments, regulation and directive provisions on data breaches. Of course, the principles are the same, but they are differentiated according to the instruments and to, of course, security again. The novelty in the regulation is, of course, that there is this obligation to report these data breaches. With a certain flexibility, which has not necessarily been seen by those who read the text initially, when we say that it has to be reported whenever possible in between 24 hours, in 24 hours. We, the discussion continues on this provisions on data breaches, and I guess that they will be in the course of the future discussion clarification, or now exactly on situation like the one you mentioned. This is operating, but it's still the subject of discussion. Including question then, because this is an issue that I've been wondering about for a long time. In the US in some regulatory approaches, more dealing with government information, there's a belief that some data is less sensitive than other data, and that you can rank data and say that the less sensitive data requires a lighter treatment or engenders less concern. So the question might be when we think about it, and this is for all three of our panelists, is there any place where you could see consent being waived, consent being unnecessary? Or are there places, we know there's a few, where collection even with consent is unacceptable. Where do we draw these lines, and is there a way to think about this as saying there's some areas of data that we are willing to take a very light approach to? There's other areas where only the most strict approach can apply, because one reason this was developed is that the notion that a one size fits all model may not be the best serve the needs of a digital economy. There was a question Mark in there, but. I don't know, I take a first crack at that, because we've actually, what, we've actually addressed that, is that okay, Frances, was a bit. It's a very important question, and it's something that we at the Federal Trade Commission have thought a lot about, and we talk about, and this is particularly addressed in our big privacy report of a year ago, but you also see it reflected in various laws, some of the sectoral laws, for instance, HIPAA, dealing with health information, COPPA, dealing with children's information, and our new change with respect to the COPPA rule on geolocation. So what we said in our big privacy report is consent, and the need for different levels of consent should be contextual. It should depend upon the relationship between the user and the website or the app or the browser, whatever it is. We've also said that more sensitive information, that is information that is either financial health relating to children, we also mentioned geolocation, that is the bucket of information that in many circumstances should require an affirmative consent. But the context of the interaction, if a consumer is on a particular website and the website needs to send that information to a fulfillment house in order to get the good to the consumer like a book or whatever, it doesn't seem to make sense to require the consumer to give consent to have their address provided to the fulfillment house, right? That's an example of the context of the transaction. We need to have these rules make sense about when explicit affirmative consent is gonna be required. So there is, we believe, a scalability of sensitivity, a scalability of the need for consent, and we are trying very hard to identify those areas where explicit consent is needed. One of the areas that we're developing through our case law is when there's a material change in the way information is used. So if you look at some of our large consent orders, we are going to be, we are saying that explicit consent is needed when there is a material retroactive change in the way data is being used. So again, that's another one of those contextual examples. So we noted, of course, the FTC's report and we're going along those paths exactly as Commissioner Brille is talking about that too. And so for us, this notion of contextual consent is very important. I would note that it will get more complicated as more and more services come online with uses of information that we maybe are not contemplating today. And I think we'll also then have the question not only of contextual consent, but whether or not it is persistent consent or whether you'll need to ask more than one time if it's a particularly sensitive piece of information. Well, of course for us, consent is very important. And one thing I want to draw your attention to is that consent is not the only base for data privacy. There are plenty of other legal bays of processing data than consent. And in a way, you have contracts, you have the commercial legitimate interest, you have plenty of other ways to be able to legally, to lawfully process data than consent. But of course, consent is very important. We want to clarify that individuals again know what they can expect for what they are doing. So does it mean that consent will be asked all the time? Of course not. We're not going to click 50 times in one hour session on the internet. Of course, there are many ways and the technology provides ways of dealing with this. But the important thing is that by your position with what happens now, you are aware of what is going to happen to your data. And there are plenty of practical way of doing this, but again, this is for us a very important point. Well, we've reached the magic moment and I'd like to ask you to join me in thinking a very thoughtful and articulate panel for their discussion about complex issue. So if we could give them a round of applause. Thank you.