 Good afternoon to you all. My name is Joyce O'Connor and I chair the Digital Futures group here at the Institute of International and European Affairs. You're very welcome to the Institute's webinar on Shrems II and the EU-US Privacy Sheet, the European Court of Justice rules the world. With Cameron Kerry, the Ann Orr and Andrew H. Teesh Distinguished Visiting Fellow at the Brookings Institute in Washington, D.C. Cameron, as you know, you previously addressed this here in the IIEA, back would you believe in 2012, which is a long time ago, and in different circumstances when you worked in the U.S. Department of Commerce. So you're very welcome and we're really, really happy to have you back here again. And I have to say you have a great title for your presentation. And as we know you're a global thought leader on privacy and data transfers issues. So we're really looking forward to your presentation. The program today is as follows. Cameron will speak for 25 minutes, 30 minutes or so. And then we'd go on to questions with you, the audience and Cameron's presentation and the Q&A will be on the record. And send in your comments or questions. And that would be good maybe during the presentation through the question and answers function that at the bottom of your screen. I'd really appreciate if you've got your name and affiliation when you ask a question. Please also feel free to use Twitter. Our Twitter handle is at IIEA. Cameron, your presentation today is timely and important. The shrimps to judgment of July, just July this year by the Court of Justice of the European Union, invalidated the EU U.S. Privacy Shield framework, which had been established to ensure the personal data transfers from the EU to the U.S. to comply with EU law. On Monday last, Facebook filed high court papers challenging the data protection commissioner here in Ireland, Helen Dixon's preliminary order to stop data transfers. There's not a debate about that, of course, and some commentators have asked the question, are we close to a major breakdown on how the internet works and who is allowed to send what and to whom. And by that I mean normal services, even like social media or even online shopping. Cameron, I know you'll explore the implications for data transfer mechanism between the EU and other partners. So we're very honored to have you back again here at the IIEA today. Cameron served as general counsel and as acting secretary of the US Department of Commerce. He also led the Obama Administration work on privacy and the engagement with the EU. As a lawyer, he wrote the definitive analysis of the Court of Justice of the European Union on shrimps to decision. He is currently the Anne and Andrew Tish Distinguished Visiting Fellow at Brookings Institution in Washington, where he focuses work on privacy, technology, and their interaction with transatlantic relations. You're very welcome Cameron and the screen is yours. Joyce, thank you very much and it's, it's good to be back virtually, at least. And when I was in Dublin in 2012, it was during the Irish presidency of the European Council in the consideration of GDPR. And, you know, that that visited meetings there was a part of what's been ongoing involvement for me with with the GDPR as a government official as a practicing lawyer and now at a think tank and began at the drafting stage and has continued through the legislator process, the Snowden reaction, the implementation of GDPR, and of course the decisions involving both the safe harbor framework and, and now privacy shield. And I did do that analysis that you talked about and also acted in the general court of the Court of Justice and litigation on the privacy issue. Of course, the outcome of that litigation was the shrimps judgment in July. So, let me offer some observations on that judgments and talk a little bit about what, what comes next. Let me say at the outset that I, I come to these issues as, as somebody who's linked to the European experience. I spent much of my childhood in post war Europe, because my father was an American diplomat right there and many of my close relatives are in Europe, because my, my mother was one of 11 children of a family of Americans who left Boston to live in England, and in France. She lived in Paris at the beginning of World War two and she was among the refugees who poured out of the city in front of the invading Nazis. The sister that she lived with was interned by the Vichy government for harboring refugees and Jews. The home that my grandparents established in Brittany was destroyed by the, the Germans during the, the Battle of San Maro. And the brother and sister of my father's mother were transported from Vienna to the Therese concentration camp, where one died the other was shift off, shift off to Treminka. And at the age of four, I lived in an allied occupied Berlin that was still scarred by a bombed out, bombed out and burned and shut up buildings. And then I went Berlin and later in Norway, my family was stationed on the edges of the iron curtain. So I bear some of the imprints, I think that have affected the European understanding of privacy and data protection. And I think sometimes it seems as though the US and Europe are divided when it comes to privacy. Certainly, it seems like that with the Shremstuh decision. You know, I think a lot of this perception comes from cognitive dissonance on both sides stemming from differences in our legal systems and in ways of thinking about law. Ireland, of course, spans both sides of this gap. It's a common law country. Now, the only one in, in the EU. But it operates under EU, EU's civil law system. And, you know, like America, its imprints on privacy and on civil liberty are really rooted more in our revolts against the British crown than on totalitarian systems. We see the CJU's Shremstuh judgment as a very much a product of civil law system and is reasoned deductively from the words in principles of the EU charter. And the decision takes the EU's exceptionalism. It regards data protection to a new level. It overrides the balance that the European Commission struck with the EU's interest in sustaining what is the Union's most important trading relationship and recognizing sovereign interests of the United States and then accommodating differences between American and European legal systems. At the end of the day, the decision, the CJU's decision raises doubts about the ability of any company doing business in Europe to transfer data outside the European Union. And could result in a form of soft data localization that, you know, could validate policies in, in China, Russia and other countries that that require data localization. It certainly sets a high bar for any new arrangement between the US and the EU. So for data transfers to other EU trading partners as regulators and companies apply the decision transfers to some countries and in some circumstances are going to continue but some will be deemed too risky and leaning companies or regulators to keep data within the EU. But if there was any question about those implications, I certainly should have been erased by the news of the data protection commissioners preliminary decision. The case is about Facebook, but it could apply to any company. I'm not sure if it's the National Dictionary Dixon is certainly forcing the issue and setting it on a path to the European Data Protection Board and probably through one process or another back to the Court of Justice. One of the striking things about this decision and its predecessor and others in the Court's jurisprudence says that although its authority over member states on national security is limited by the charter by the treaty on the foundation of the EU, it has much more leverage over the United States because of the adequacy requirement in the GDPR. And the prominence of US technology brands and the scale of surveillance make it an attractive target, attractive target or perhaps a whipping boy. In the decision rather than look holistically at an extensive record on US surveillance law and safeguards and practices developed in the Irish High Court case. The ruling that the scope of your surveillance and the judicial remedies available go beyond what's necessary in a democratic state was based principally on concessions that the commission made in its adequacy decision, without really considering the totality of safeguards or differences with the in the US legal system and the way that our law incorporates regulations, executive orders and other subsidiary law. In the first Shrem's decision, the court took pains to say that the essentially equivalent standard for adequacy does not mean a level of protection identical to that guaranteed in the legal order. But in the privacy decision, it framed adequacy as compliance with the provisions of the charter. Certainly the decision creates distinct problems for the US and some 5300 US and European countries used the privacy shield for for transatlantic data transfers. Many of those also relied on the other mechanism in the sea, addressed in the judgment which are the standard contractual clauses that the EU propounded to enable transfers of data to countries with their no adequacy decisions. The contractual clauses to are in doubt given the, the obligation that the court declared for exporters of data and importers, both to consider on a case by case basis, whether the third country laws prevent compliance with the clauses and to suspend or terminate data transfers, if so. And also the obligations of supervisor authorities to do the same. With respect to the US, the rulings present an inescapable question whether compliance with those clauses are possible. And that is the question that Halen Dixon's preliminary decision presents. The US is not alone in these questions. A great many EU companies are using contract clauses to transfer data all over the world. The US includes countries like China, Russia and India that have extensive surveillance programs and controllers are now obligated to consider if this surveillance limits their ability to comply with fundamental rights. The Commission will revise the clauses. The European Data Protection Board will provide more guidance on the additional safeguards that the GDPR and the court's decision allow and principle for countries without adequacy. But the extent to which the contract clauses or other mechanisms like binding corporate rules allow existing data flows is still up in the air. And ultimately is going to depend on the risk tolerance, the pragmatism of data controllers, the commission DPAs and eventually the court of justice. The decision also creates uncertainty for many of the EU's trading partners. These include countries that have existing adequacy determinations. And also, both South Korea and the UK, which are seeking adequacy determinations, and those reviews are going to require the same scrutiny of intelligence programs that the US has had. As the CJU has become increasingly firm in its direction on data protection and an application of charter principles, it's become, I think, increasingly theoretical and detached in its decisions. Given all of the certain uncertainties about the viability of data transfers that I talked about, it's absurd for the court to say, as it says in its final paragraph that, you know, giving the decision immediate effect is not liable to create a legal vacuum. On July 15, the day before the decision, 5300 companies were in compliance and relied on the privacy shield to transfer data to the US in the afternoon of July 16. They had no legal basis for transfers. And, you know, the alternatives are contractual clauses. How viable are contractual clauses when they need to be revised when they're subject to difficult questions about foreign law. And this is an impossible burden for companies, even for supervisory authorities. At this point, hundreds of pages of high court testimony, opinions from the data protection supervisor and others, submissions for the privacy shield decision and legal argument before the CJU went into explaining the US law, how can any data exporter possibly achieve any small fraction of that understanding. And as any data exporter in China or Russia, really going to say that their government's intelligence collection inhibits compliance with standard clauses. So where the GDPR standard contracts apply in the adequacy, in the absence of an adequacy determination, and it's the commission that makes those determinations. But the decision, you know, quite explicitly injects the adequacy requirement into almost all data transfers to all countries in the world. And it puts that decision in the hands of data exporters in the first instance. And then supervisory authorities. So it's certainly tempting to say that the CJU got it wrong. It's tempting, but it is ultimately futile. As a US Supreme Court justice famously said about about his court. We are infallible because we're final. The CJU has spoken, the EU, the US and the companies that transfer personal data across the Atlantic around the world now have to deal with it. So let me talk a little bit about how I think the US needs to deal with it. Now, arriving at something that will satisfy the CJU is going to be complicated. Neither the commission nor the US can afford to lose a third case in American baseball. The rule is three strikes and you're up. So both sides need to sustain trains Atlantic flows because you know they are so important to economies that comprise nearly half of the world's GDP, and they are the most digitally interconnected regions of the world. I'm revised contracts additional legal and technical and organizational safeguards of the kinds being considered may enable some transfers, but I think some will require a new US EU framework. And I think it will take US legislation to achieve the robust and stable framework that's needed. So as I mentioned the US has an array of safeguards over surveillance which have been adopted over decades in response to past abuses and enlarged after snow. Some are incorporated in the statute that authorizes surveillance of foreign communications. Others are in presidential orders governing intelligence agencies and various regulations that govern law enforcement and intelligence services. These originated in the past decade to protect people within the US and US nationals everywhere. We call US persons in national security law. President Obama's presidential policy directive 28 declared that all persons should be treated with dignity and respect regardless of their nationality or where they might reside. Extending the protection of US persons to people everywhere. This declaration established a new international norm as a group of EU based experts in a study funded by the EU and published by the Oxford Internet Institute found few if any countries offer the kinds of protections for foreign nationals subject to their intelligence gatherings that are now being demanded of the US government. And the US now serves as a baseline for foreign intelligence standards. So I believe we should reflect this leadership in our laws by codifying President Obama's order into law explaining how safeguards for US persons apply elsewhere and reflecting the the procedures that exist to limit collection use and sharing of intelligence information about individuals. And that way, through our laws we can in the words of our declaration of independence, let the facts be submitted to a candid world. I think addressing the CG is concerned about judicial remedies is more complicated both politically and substantively, but I think it begins with differentiating between redress. And judicial remedies which the CJU conflated by talking about judicial review to have access to personal data or obtain rectification or a erasure of such a data. Access and rectification is in redress is an independent right, which GDPR gives to data data subjects. And, you know, they're parallel rights for government bodies. But in fact, in most member states, individuals are not able to sue to gain access to files of them because of the need to maintain secrecy in ongoing investigations, which the Court of Human Rights in Strasbourg has recognized. And instead, typically an oversight body of some kind over investigates individual inquiries about surveillance and initiates a corrective action without disclosing whether surveillance takes takes has taken place. And this is essentially the function that was performed by the ombuds person under the privacy shield in response to the requirement for redress. And I think it will be possible to put in place a more independent mechanism with stronger powers. Access to a judicial remedy after that administrative process or initiating a challenge on the lawfulness of surveillance would certainly require legislation. This is a place where subsequent notification as exists in some European countries can help. And some EU member states, not all have requirements to notify the subjects of surveillance, some years after the investigation. Similar to requirements that we have in the US under our wiretap laws and under evolving law under applying our constitutional protection against unreasonable searches and seizures in the Fourth Amendment to the Constitution. So we have precedent for legislation on notification and notification in turn would provide a concrete basis for standing to bring a court case. I believe that this prior court authorization, as well as standing for judicial review is something that should be subject to reciprocity, much as adequacy is should be available only where foreign governments extend equivalent rights to US persons. This would push other governments the EU included to apply the international norm the US has set and ensure that we are not obligated to treat North Korea the same as we would treat the EU or other Democratic countries. So, you know, let me wrap up by saying that, you know, a America has a distinguished history with regard to privacy. It's enshrined in our bill of rights in the protections of persons and houses and effects thoughts of religious belief. And, you know, a due process clause that has come to embody not just judicial process, but disproportionate restrictions on individual freedom and dignity. And it was an American jurist, Louis D Brandeis who first framed a common law right to privacy in 1890. Our Fair Credit Reporting Act in 1970 was one of the first national privacy laws anywhere. So two decades into the 21st century, it's time to update surveillance laws that were written in the 20th. We are in a world today where devices that can reveal everything about us are constantly connected to global networks and the power of surveillance is beyond anything that was imagined when the existing laws were adopted. Passage of national comprehensive privacy legislation would help. That's a project that I led in the Obama administration and unfinished business today that I'm focused on. You know, we have a matrix of sectoral laws covering health information and financial records, student records, you know, many other specific applications. But our current approach leaves a lot of the explosion of data that we are have experienced in today's world. Exposed and allows companies to set their own rules for what they collect, what they use and who they share it with. I believe the United States needs to align itself with liberal democracies that treat privacy as a fundamental right and reassert that historical leadership reduce the differences between it and the you and the more than 100 countries that now have data protection laws. I believe that we need to do that with a law that's consistent with our common law origins or culture of entrepreneurship or system of innovation by iteration. And I believe that like minded countries in the EU and elsewhere should keep in mind that no matter what our differences maybe what the differences are in our legal systems or our approaches to privacy and data protection. And we should fail when compared with our differences with China and other authoritarian and repressive countries. So thank you for the opportunity to come back today. Virtually. I hope to have the opportunity to be there in person. Again, thank you very much. Cameron for that very powerful presentation. I think framing them has as you have with your personal experiences growing up and that of your family. I thought it was very powerful because it's set down really, you know, an understanding, perhaps of how you've managed to go through such complex, you know, both legal and cultural systems and advocate very, very clearly for looking again at where we're at. I thought it was a very thoughtful and detailed analysis, because it allows us maybe to look at the way forward. So I'm going to ask now for our questions and look at them here. We've a number of them, but we may go back to that point a little bit later. And the first question here then is from Seamus Allen from the Institute. He's asked the question the European Commissioner for Justice has stated that the European Commission will bring forward proposals to adjust how secs work by the end of the year. Do you think it's possible to update secs to enable transatlantic data. Sorry, I just missed that transatlantic data transfers quite respecting shrooms too. Yeah, so as I indicated, broadly in my remarks, I think that process may enable some kinds of transfers. And I think there may, there may very well be some that are complicated because of aspects of the court's ruling. Some of the kinds of measures that people have talked about are the use of strong encryption for data in transit and data in storage. Interestingly, I mean that is something that you know many of the larger companies have been doing for some years now. And, but, you know, there are many smaller companies in that 5300 privacy shield companies that aren't necessarily and and of course in the mass of other non US transfers. So that's something that's that's that's being looked at. I think for companies that receive process from the government to produce information. There could be an obligation in the contracts to resist that. And again, and undertaking that a number of companies have have made recall there was the case with Microsoft to where the US government was seeking data. And I want to server in Ireland. And then Microsoft went went to court on that. So, sort of put those kinds of responses into law. I think some of us will depend as I said on sort of what the risk assessments are risk assessment is something that some of the commission staff have talked about as something that they will try to build into contract clauses and into the analysis. But, you know, if you for example, believe as that any encryption can be broken. And that might get you to a conclusion that encryption doesn't work doesn't keep the data out of the hands of the NSA. And I know I think the encryption is robust, but even the NSA can't decrypt all the traffic from all the world in any reasonable amount of time so it's difficult to do. So they're practical difficulties. You know, certainly, I think the commission has demonstrated political will to sort of look at things in a practical way. I hope that members of the European Data Protection Board will. I have more doubts about the CJEU. Well, just this another interesting question probably adds to the complexity which you, your, your presentation showed it's a question from Deirdre Killroy. She asked the question, based on your work in the field of protecting consumers, what challenges do you perceive associated with the use of artificial intelligence, both in the US and in the EU. And how does that relate to the growing regulation of content to deal with online harm and attacks or attacks. There's a lot in there. I think the AI affects privacy, principally in just increasing the power of data and data collection and data analysis. So, you know, to make very granular inferences about individuals. So, you know, that's, you know, that's that has been on a continuum as, you know, as the volume of data that we each generate has expanded as the collection and the analysis has expanded. The AI may present sort of a quantum leap in the ability to, to analyze that and one of the phenomena that we've seen that GDPR addresses to a significant extent is, is that some of the traditional mechanisms for separating identity and links to individuals from data become more and more difficult as, as those inferences the ability to draw links about individuals increase AI certainly increases that. The other danger, you think that is that AI and the power of data can draw and and the fact that it is machine learning. That's, that's difficult to to explain difficult to to reverse engineer. And to some extent outside human control means that it might be possibly be used in prohibited ways. In the US, certainly now as we talk about privacy legislation, the, the possibility that that personal data can be used in ways that discriminate against individuals has become a very important issue. And certainly when we enact privacy legislation, it will certainly include protections for civil rights protections against discrimination and some level of transparency for for algorithms. And certainly those that know in terms of the GDPR have a significant to impact on individuals or other significant legal legal effects. And, you know, I think that will be be an important step. I think the content issues are somewhat separate but but certainly AI, as we're seeing with, for example, election interference. Is increasing the capacity of bad actors to carry that out to create false information and increasingly sophisticated false information. I don't think we have the tools yet to deal with those issues. And of course, I'm, you know, we have the challenge in the US that that I know in many respects us values free speech in sort of above all other rights much as I think you values privacy data protection above all other rights. And, and so we, we definitely have a different balance on those issues and the US and Europeans do. And I suppose that goes back to the mindset and the background historical background as well that you mentioned, you also mentioned that you know there was 5300 is that right. Small companies. So do you think that are larger companies better place to respond to the CJU decision. You know, for instance, you know, by core challenges like Microsoft, you mentioned by building data centers in Europe and with smaller companies and competition be harmed as a result. So are smaller companies really because of the complexity of the of the whole area. Are they really, you could say they can't really respond. You know, they're not in a position to respond. I think my answer, Joyce is, yes, absolutely. I am, you know, the larger companies have the capacity to, to locate facilities in, in other countries. You mentioned Microsoft, they have data centers in, in Europe. So, and of course they have the, the wherewithal to do that. A, an SME that has been using the, the privacy shield for let's say, e commerce. Really doesn't have that option. And neither do they have the ability as I talked about to do the analysis. That's required. Case by case basis, you know, the big companies. Because they are recipients of many government access requests have staffs of lawyers who are national security lawyers who respond to those. So, you know, they, they can do that analysis. They have security clearances. But, but, you know, they are a small number in a class by themselves, a great bulk of companies do not have that capability. And I don't know, neither do the great many European companies that are transferring data and, you know, no, nothing about US law or Chinese law or other foreign laws. And as you know, the European community and it's, you know, digital policy digitalists at the center of the green agenda and the digital agenda. And, you know, they want small companies to use data more effectively in a whole array of areas because that is, in a sense, the new oil. So, do you think that is an argument in the power of small companies? Do you think they have any power in this discussion? Or who do you think are the main actors in the discussion? You know, is it around fundamental rights, individual rights? Or is this, are this group of people, are they seen as important in this discussion? I don't know, do they have any way of articulating their concerns? Those concerns are part of the political discussion. But, you know, you look at the litigation in the CJU, I think there were some business associations that appeared in the High Court and therefore the CJU case. I think the business software alliance, that's a primarily American but international trade association of technology companies, business Europe, which is a more broad based association of European countries, which, you know, I'm sure as the interests of SMEs involved, but, you know, most of them can't pay dues to trade associations. So, I'm sure they have less of a voice there. And there was nobody specifically at the table on those issues. Certainly, I think, you know, political leaders pay attention to those issues, you know, that's not off the radar and in European Commission thinking by any means. You mentioned earlier about, you know, separating identity and data. Is there a proportion of companies who relied on privacy issue that can turn to more creative use of data, such as depersonalizing data to enable transfers? Or is that just another layer of complexity? No, it's an important question. It is undoubtedly another layer of complexity, but there's certainly a lot of research and development being done these days in various forms of privacy protecting technologies, such as, you know, federated databases that allow or federated databases or uses of data that allow data to remain in the hands of the original controller or even of individuals, but allow effectively the algorithm to come to the data rather than the research to be require that the data go to another computer. And I think that's certainly promising for some applications. But again, I think that's a large scale thing. I am, you know, I'm also affiliated at MIT at the Media Lab when the group that I work with is doing a lot of work on some of these, these kinds of solutions. But my view has been that because of the complexity, that getting them on a wide scale where individuals or SMEs can use them is required. You know, a lot of time and development, I mean, this is really sort of super user stuff when it comes to, you know, the computation, the methodology and the controls. You know, I also think that that, you know, and this is an issue as we talk about privacy legislation that because of the complexity of managing data, managing our interactions with with data collection. You know, we really have to rely on normative laws like grounds for processing and proportionality in the GDPR to sort of establish boundaries for how the data is used, how it's transferred, how it's how it's shared. And, you know, and the scope of collection. So this is something I'm pushing for US US legislation. We have to set the boundaries. We can't rely on individuals to do the job of protecting their data. They should have the right to do that if they want it, but their privacy, their protection should not depend on that. You know, you've mentioned there about the law and that the start of your presentation, you mentioned the difference between common law and civil law systems. So what role does the difference do you think between the two systems play? Is that the fundamental, is that a fundamental issue? I don't know that it's fundamental choice, but I do think that it is an important issue. You know, I think it, as I'm talking about, I think it does affect the way that we think about things. You know, in a civil law system, the visual analogy that I draw is a polyonic code. It sort of like the gardens of Versailles, this perfectly ordered rational universe that has the flows from a central logic. Common law system is like the gardens of Frederick Law Olmsted, who designed Central Park in New York and many other parks and elsewhere. It's organic. There's no obvious organization to it. And, you know, I think sort of that framework, Europeans look at American law, necessarily true with our sectoral system and privacy. I think, you know, I was very lost here and there and federal law and different, different levels and think that, you know, we have no comprehensive privacy law. Americans look at sort of something like the GDPR and think, oh my God, it's just so, so prescriptive. You know, what a thicket of regulation. And I think in both of those, I think our extreme reactions, but I think they do color something like the CJU decision deafness. I mean, particularly I mentioned the sort of various regulations that we have the advocate general opinion dismissed all of that as well. Internal regulations are not law. Okay. You know, under our system they are executive orders are binding and federal agencies. There are regulations. I think it does make a difference. If I can maybe have a frivolous comment on gardens. Wildflowers are all the thing now there's no such question of having strict clear lines. You just let it all happen and the blossoms come forth. So that that makes there may be a change coming. And we've a question here from Darren Moriarty, and he's asking, and there is saying many thanks again for a fascinating presentation, wondering if you might, if you, if you feel you can now when you're here it's coming. I would be able to comment on any differences in approach between drop Trump and Biden, when it comes to the matter of privacy and data protection, or it is as one of the very few issues that unites Democrats and Republicans. I think there, there, there are differences. I mean, certainly Biden has said we should have a comprehensive privacy law in the United States. So that is probably the, the biggest difference. Yeah, I think there will certainly be, I mean, look at if Biden is president is going to pick up the post privacy shield negotiations wherever they are and pursue a framework agreement. And I think it's all that, you know, he, he had a conversation with President Yonker about about the safe harbor decision and getting to a new agreement then so he's not a complete stranger to to these issues. And he has rolled back some privacy protections. There was a Federal Communications Commission, I am order that regulated internet service providers. He signed up the law that rolled that back. More recently, they've lowered the fines for violations of the health care privacy act. Some incremental things, but, you know, ultimately it comes that there was in one of his agencies, one that we used to be in my under my purview. I was looking into privacy policy and could know an outcome of that could have been endorsement of privacy legislation. I think given, you know, the how close members of Congress have gotten over the last couple of years, I think support from the administration could have made the difference. And I'm hopeful that if Biden is president, it will make the difference and we will get to a comprehensive privacy law in the next couple of years. Cameron, unfortunately, our time is up and it's good to end on that on the positive note. Absolutely. Thank you. Thank you so much for such a stimulating and thoughtful presentation because you've raised very a lot of very key issues, but I think also you've brought hope and given kind of indications of how things could happen, given that we both need and want to make things happen in a way that's positive for our citizens, both in the US and the EU. So, so thank you so much for that. And for being with us today. I hope we you'll come back again to us Cameron, and hopefully at that stage, it'll be it'll be in person rather than virtual. And I'd like to thank to our audience for your participation and for your questions. And interestingly enough, on the next digital futures event is on disinformation. And as you mentioned that on the 2nd of October, Paolo Cisarini, who is the head of the media convergence and social media unit in the European Commission is speaking on countering online disinformation actions taken and the challenges ahead. And that that kind of links in with some of the points that you made. And I'd like to thank on our behalf, the production team here, Lorcan and Sarah and all the team for their skill and commitment, and to shame us Alan, our digital policy researcher for Holy's and expertise that he's given us in supporting this webinar. But I'd like to leave with thanking you again Cameron, because I think this has been an important event, an important presentation, because it's one that will that a solution needs to be worked on needs to be found, if in a world of technology, where data is everything we need to really think and work on it. And you've given us good grounds to do this. So thank you very much. And I say, look forward to seeing you again Cameron. Thank you.