 Good afternoon. I'm delighted to welcome you to this IEEA webinar. My name is Una Fitzpatrick. I'm the director of Technology Ireland and Ibex Trade Association and I'll be tutoring today's event. Today's event is part of a series organized by the IEEA and IDA Ireland to explore digital policy issues relevant to Ireland. Today's event follows the Digital Ireland conference which took place in Dublin Castle in November. Today's event is on the hot topic of transatlantic data transfers and we're delighted to be joined by our expert panel who have been generous enough to take time out of their schedules to speak to us. Each panelist will speak to us for about 10 minutes or so and after each panelist has finished their presentations we'll then go to a Q&A with our audience. You'll be able to join the discussion using the Q&A function on Zoom which you should see on your screen. Please feel free to send us your questions in throughout the session as they occur to you and we'll come to them after the panel have finished their presentations. A reminder that today's presentation and Q&A are both on the record. I encourage you to join the discussion on Twitter using the handle at IEEA. I will now formally introduce our speakers and hand over to them. We are going to be joined by Christopher Hoff, Assistant General Counsel for Purposing and Regulatory Affairs at Microsoft. Former US Assistant Secretary in the Department of Commerce. Then my John Miller, Senior Vice President for Policy, Trust, Data and Technology at the Information Technology Industry Council, ITI. Ann Marie Bowen, Head of Technology and Innovation Group at Matheson. And finally we'll be joined later by Bruno Tencarelli, Head of Unit for International Data Flows and Protection in the European Commission. So first up, it's my pleasure to introduce Christopher Hoff. Christopher is currently the Assistant General Counsel for Purposing and Regulatory Affairs at Microsoft. He was previously the Deputy Assistant Secretary for Services, Industries and Analysis at the US Department of Commerce until June 2022. In this role he was involved in negotiating the new EU-US Data Privacy Framework and also worked on the Data Flows relationship with the UK and Switzerland and on globalizing the former APEC cross-border privacy rail system. He was previously the Chief Privacy Officer for Huron Consulting Group. It's over to you now Christopher. Thanks so much and thanks for having me here today. I'm going to go over a little bit of background of the negotiation and the result of it that everyone's pretty well aware of now, as well as infusing some global perspective there. You mentioned some of the other work that I've done and worked on before, but that pretty well covered why I'm here today. I was part of the negotiation. I was the lead for the Department of Commerce where the program sits, the Data Privacy Framework is managed by the Department of Commerce as the privacy shield and save harbor before it were as well. That's why there's a Department of Commerce person there at the negotiation table, but it was a group effort. It was somebody from the White House leading. There was also Department of Justice Lawyers, Office of Director of National Intelligence Lawyers, and State Department and Representatives from the Intelligence Community as well, because the negotiations you now was focused not on the commercial principles of then privacy shield, but on very, very limited issues that were raised by the Court of Justice of the European Union in 2020 in the Shrems II case. So it took, speaking of 2020, it took some time for the negotiation to take place. It was two years long. It was a hard fought battle between the Commission and the US government. Now we are on the same side. We've come to I think a very good agreement between us and a new framework that we are confident meets the Shrems II CJEU requirements that were laid out for us. So in the negotiation, the entire time everybody sat at the table with the CJEU opinion in front of them, used it as a checklist for what needed to be done. Truly, it's not figurative. We were sitting there with it and it took a great deal of time and it was very constant. There were no lulls in it. There was a change in administration from the beginning, 2020. We had a different president. But they started the negotiation then. I started on day one of the administration. The White House person was there on day one of the Biden administration as well. And so it's been constant work since then. And even after we came to the agreement which had its own 20-page term sheet that we had worked on, it had to be translated into US law, which is where the executive order and the Department of Justice regulation that came with it came from. And that took extra time as well. By the time I left in June, we had negotiated the whole deal, agreed on it, drafted most of the executive order. The Department of Justice had drafted most of the DOJ regulation. But as you know, you didn't see an executive order in June, you saw it on October 7th, because there were a lot of agencies that had to change what they were doing and incorporate new policies and procedures. And that's why it took so long because these were substantial changes to US law. They were substantial changes to agency policy and the intelligence community. And so that leads me into the meat of what's in the executive order in the Department of Justice regulation. They're medium-length, but they're worth reading for everyone who's interested. They're very worth reading. They're somewhat complicated as law is, but they've got really good information in there. It's worth reading those and not simply relying on news articles, although there have been a lot of good ones. Because it goes through a number of key things that didn't exist under Privacy Shield, under the arrangement before this one. It improves on PPD28, the Presidential Policy Directive from the Obama years that was implemented around the Privacy Shield one time. And it goes into what necessity and proportionality mean. It uses those terms for the first time, EU legal terms, in terms of intelligence surveillance activities being using only ones that are necessary and proportionate in terms of data privacy as well. The executive order and the regulation create a brand new redress system that is whole cloth new. There's a new data protection review court. They created a court out of thin air and that took a great deal of time and legal work. And both of those things are noting sort of at the outset, in the instruments that they're in because of this subject matter. I've seen some concern over whether there's a statute that implements these things versus executive order. There's thought that perhaps an executive order is not as durable. I would challenge that at the outset by saying that national security in the U.S. constitutional system is largely in the purview of the executive branch. Executive orders are where the executive creates some law that agencies have to follow. National security issues are by and large in executive orders. For example, EO12333, which was challenged by the CJU in the Shrines II decision. That's from 1981 from President Reagan. And it has lasted, it's been updated, it's been improved, but it's durable. Those instruments are generally where things like this go. So it wasn't just a matter of ease because this wasn't easy. And not just a matter of preferring it over a statute. It's where because of the separation of powers, a lot of national security things stay in the executive. So that's there. There's a Department of Justice regulation that goes with it. It's not all in the executive order. There's a regulation that goes with it because the Attorney General needed to create a regulation of its own that created the court because it's relying on the Attorney General's authority to establish the courts using the Attorney General's Special Counsel authority to set up the three judge panel and the rules of the court. So that's why it's in a separate instrument. We tried to put as much as we could into the executive order and did so that it would be in one place, but that DOJ regulation is necessary as well and worth reading. So those are all in there. The redress mechanism was the most difficult thing to deal with. Necessity and proportionality were slightly less challenging from a legal perspective. And you'll notice from the executive order, there's some nice legitimate objectives laid out, prohibited objectives, and intelligence activities have to be necessary to advance those validated intelligence priorities that be more proportionate to the validated intelligence priorities. But then there's a large chunk of the executive order and regulation that are focused on the new court system. And so it starts with the Office of Director of National Intelligence's Civil Overdose Protection Officer as a fact-finder. The executive order provides more independence around that function than even they already had and creates a rule that the CLIPOs, the Civil Overdose Protection Officers findings are binding their decisions over binding on the intelligence community. The data protection review court then can hear the case. There's a special counsel involved in that to make it even more court-like than just having three judge panels would be. And their decisions are binding as well. They have independence from the executive and the executive is not allowed to influence them at any level, not even the Attorney General or the President. And then there is oversight of the entire system from the Privacy and Civil Liberties Oversight Board, P-CLOB. They are an independent agency in the United States government, so their function is generally oversight. They write reports, they do investigations. And so P-CLOB has been asked to serve as an oversight mechanism for the entire thing to ensure that the court is operating well. And all of these things are significantly different than, not only do we think that they completely address the CJAEU's transfer decision, but they're significantly different. And the perspective that I want to keep coming back to is that this is quite different than the previous operation, where the state on Bud's person who was not binding on the intelligence community, who was not terribly independent from the executive, was the previous regress mechanism. It's also very similar to what is happening in most member states in practice as well. I've seen some concern over the fact that there's a bit of a boilerplate answer that individuals will get because of national security after the end of the case, which is sort of if proper procedures weren't followed, it was corrected. Answer, and that's because of state secrets. We're talking about very sensitive national security issues. But the perspective part of that is that that is what an individual citizen of France, for example, would receive from the Kinele, that the Kinele took something to the intelligence community agencies in France and said, you know, we've got a complaint from an individual. If there was intelligence collection activities on them, were they properly followed and then it would trickle back to the individual and they would get that similar sort of response. So it's pretty typical. Realizing that I've already taken 10 minutes on that overview, I was going to briefly mention that even though this is a transatlantic data flows panel, I'm looking forward to hearing and John might talk about this as well and Marie on some of these other topics, but there's some OECD work going on. There's trusted government access principles that we're hoping to see soon. There are global solutions, which I think is a really important thing to note that the transatlantic conversation does and has for almost a decade sucked all of the air out of the room in data flows conversations. And I'm looking forward to a day when we're talking about more global things more often like the global cross border privacy rules that, you know, Australia, Canada, Japan, Korea, Mexico, the Philippines, Singapore, Chinese, Taipei, and the US are already in and the Latin America is interested in the UK is at the table in those discussions as well. So those are really important things to look forward to in the future. But I'll stop there for now. Thank you so much, Christopher. And definitely I think the global solutions is it might come up in our Q&A discussion and I'd be welcome to get the insights from all the panel. So I'm delighted to introduce John Miller. John is Senior Vice President of Policy Trust, Data and Technology and General Counsel and currently leads ITIs Trust, Data and Technology Policy Team, driving ITIs strategy and advocacy on cybersecurity, privacy and data protection, supply chain security and resilience, government access to data, digital platforms, artificial intelligence, international things, computing and other technology and digital policy issues. That's a serious long list, John. So I'll credit you for time for you know that. I'm delighted to hand it over to you and welcome your comments. Thanks very much and thanks very much for the invitation today. In a way, Chris said it all, but I will try not to repeat what any of what Chris said. But I do think one place to start here is just to give a really brief introduction to who ITI is and then connect that to some of the broader business interests and then get a little more into this. I mean, you know, ITI, we are the Information Technology Industry Council. We're headquartered in Washington DC, but we have offices in Brussels and in other capitals around the world. And we really represent the breadth of the tech sector. So, you know, hardware companies, software companies, various different types of services companies, networking equipment companies, B to C companies, but also B to B companies. And I mean, I think one thing that certainly connects ever all of these companies together is that they're all using data in one fashion or another. They're all certainly interested in protecting that data as well and in transferring that data and, you know, innovating rights around that data. And I mean, I think it's fair to say that the tech sector itself is kind of a horizontal enabler really across the entire economy right now. And so I mean, one thing I wanted to just say at the outset is to kind of maybe dismiss what has also made a popular misconception about this whole area is that I'm here representing the tech sector, but I feel very sure in saying that this is an issue, transatlantic data flows and indeed global data flows, as Chris suggested, that impacts all companies, companies in the EU, companies in the US, companies around the world, companies in every sector and, you know, indeed companies of every size. You know, one thing to note about the predecessor privacy shield framework as I know Chris knows well is that I think at least 70% of the companies that were certified to privacy shield are small and medium sized businesses, right? And those are thousands of companies. And the reason I can say that I know this with certainty is because, you know, ITI recently led a transatlantic multi association letter with over 40 associations from, you know, really an equal number from the US and the EU, including across the member states, and really just representing every sector of the economy really. And I think that that's important to just again, not only demonstrate that this is an issue that's important to every company in the modern economy, but it's one of the reasons why, and you know, you've seen these numbers thrown around, but, you know, Chris and the negotiators had a hard job because they not only had to develop a framework that would protect fundamental human rights in line with, you know, the CJEU's decision, but they also, you know, what's lurking in the background here is that we need to figure out a way to facilitate data flows that underpin a $7.1 trillion economic relationship between the EU and the US. And that's really important. And I think another really important fact here as well is that, you know, it's not just about fundamental human rights and economics. But, you know, the EU and the US are trusted allies and partners, and they require a data sharing framework that upholds citizens fundamental rights, you know, for sure, but also provides the national security and intelligence authorities with necessary and proportionate tools to protect citizens, public safety interests, you know, and in particular at a time when some might argue shared democratic values are increasingly under threat. You know, moving on to the framework itself, you know, I think Chris went over a bunch of the key features of that and, you know, certainly happy to get into more details about both the necessity and proportionality and redress solutions here. I think Chris also hit some, you know, important points about why an EU under US law is actually very, you know, preferable, arguably, to legislation. But I think that raises another issue, and I just wanted to, and I think Chris alluded to this, but I did want to underscore this, you know, and why the negotiators took two years and why this was such a difficult task, you know, because if we take a step back that the negotiators, you know, as Chris said, they needed a craft a solution that was consistent with the EU law and in particular the court of justice's decision in tramps too. And they refer to that, you know, constantly. It sounds like, but they also needed to craft a solution that was consistent with US constitutional law and protections. You know, so you've got the EU Charter and this court of justice. That was kind of now has now been reflected in that in that law is, and it is law is very, you know, important and I think it's important to also just stress that, you know, even though there is important work that still needs to be done to fully operationalize some of the provisions of the executive order and, you know, setting up the court in totality. It's important to stress that the US law changed when the executive order was signed by the president, and I think the commission even in its FAQ document that was published, I think on the same day, you know, talked about the fact that, you know, the changes were, you know, were significant and constitute legal changes right then. And they also stressed that the safeguards that were agreed to here, and that are reflected in the executive order, you know, are not only available in the context of the privacy shield and what is now going to be called the US Data Privacy Framework, but they're actually relevant because they reflect legal changes on the US side to all transfers to the US under the GDPR, you know, and that's including standard contractual clauses. And I really do think that's an important point because as important as this new Data Privacy Framework is, it's still, I don't know, something like 90% of all transfers are actually being trans, using other transfer mechanisms such as SCCs. And so, you know, it's important that this agreement is also going to stabilize fans Atlantic data transfers writ large. You know, Chris teed up the, you know, the need for I think a global solution here ultimately, and, you know, also reference some important work going on at the OECD. So, you know, I would like to, you know, hit the ball that he teed up and talk about that just a little bit. You know, the OECD has been working on really for I think almost a couple of years now, developing principles on trusted government access to private sector data. You know, they, you know, if we just go briefly into the history here, you know, this actually traces back to some work at the G20 back in 2019, when Japan was chairing that and in the so-called Osaka track, they kicked off kind of a major international initiative on data flows. And in particular, wanted to express a shared commitment to upholding democracy and the rule of law, you know, protecting privacy and under another fundamental human rights and freedoms, but also promoting data free flows with trust is what they called it there. And I think it's instructive that that so that work has been going on at least since 2019. And I think there's a common thread that goes through to what the OECD has been working on the past couple of years, which is an acknowledgement, you know, number one of the need for a multilateral global conversation on these issues, but also to really put a fine point on it, you know, to focus on what the commonalities are between the systems of the U.S., of course, but also all the other OECD democracies, the EU member states, Japan, Australia, the UK and others. And, you know, as we understand it, it's been a closed confidential process to be sure, but as we understand it, they've made very good progress and there is an OECD ministerial next week where we are certainly hopeful that they will be announcing that they have, you know, agreed to principles, best practices, legal guarantees, you know, to ensure trusted government access that exists in the various different OECD members. You know, those principles, again, as we understand it, will address some of the very same issues that are at play in the strengths to conversation. And in the context of the EO and the DOJ regulations that we've been talking about, you know, things like necessity and proportionality, of course, redress transparency as well, independent oversight. And, you know, I think I and certainly ITI and our members are certainly hopeful that when those principles are published, and again, they're not binding, but when those principles are published, I think it'll actually really help to provide a lot more transparency into what all of these other, you know, trusted governments and democratic allies of the EU and the US as well as the EU and US are doing in this space. Because as Chris also mentioned, so much of the focus has been almost exclusively on US practice in this area for almost a decade now. And one of the ironies perhaps of this whole debate is that we probably have more transparency into what the US is doing than anyone else. So I think that the OECD work will hopefully start, you know, widening the aperture and really making this a global conversation so we can talk about the importance of global data flows, as well as transatlantic data flows. So I'll stop there. I'm over time. Apologies. Thank you. Thank you so much, John. Absolutely. I definitely think we'll be picking up on some of those points during our Q&A. So our third speaker I'm delighted to introduce is Ann Marie Bowen, who is over 20 years experience in technology-related legal matters and is the head of Matheson's technology and innovation group and a member of our asset management and investment funds group. Ann Marie brings together a significant practical experience in advising on technology and privacy, legal issues with industry knowledge and an understanding of applicable regulatory rules and regulatory requirements. She advises on all aspects of technology and e-commerce law as well as outsourcing and contract services with particular focus on the requirements of financial institutions and financial service providers in these areas. Over to you, Ann Marie. Thanks, Zuna, and thanks as well to IIEA and IDA for the invitation to speak this afternoon. I think I'm going to come at it from a slightly different perspective to John and Chris in that, you know, I'm looking at it as a practitioner. So this is really around some of the on-the-ground challenges that we've seen facing clients in relation to international transfers generally. So just picking up on the comments that both John and Chris made, you know, this is not purely a transatlantic issue and I was glad to hear them both reference that because these are challenges that face not just Irish businesses but EU businesses generally in relation to international transfers across the board and to multiple jurisdictions. I think it's important, I think at the outset, to acknowledge and we're all very conscious of the 27 December date coming up for implementation of the new SCCs but it's important to acknowledge that they've actually been quite helpful in terms of issues that businesses are facing transferring data internationally. I think some of the key issues there that have been helpful have been the modular form of the SCCs and I think in particular the processor to processor and processor to controller SCCs that were introduced, the docking provision which allows, you know, additional companies to sign up to the the SCCs in terms of flow down are also helpful and fact that, you know, you're now covered for Article 28 where you use the export to processor SCCs is also again very helpful. There's absolutely no doubt that when we get the new EU US privacy framework that that's absolutely going to assist as well, you know, it's going to remove some of the uncertainties that have existed since Shrems 2 notwithstanding that we have those new SCCs. Now that's only going to apply to the US obviously and, you know, as we've heard, you know, there are broader challenges in terms of international transfers and but those two are developments have been really quite helpful from a business perspective. That said, there are challenges that do remain and I think, you know, I'm going to focus a little bit on the SCCs because as John mentioned, they are probably the most common form of safeguarding mechanism that's implemented when we're talking about international transfers. So while the new ones are certainly an improvement, we have seen challenges in terms of implementing those new ones because we're not really replacing like with like because of those new modules. So in some instances, it's caused a reopening of contracts and particularly liability allocation. So, you know, if you take, for example, you have an existing a controller to processor arrangement and you know, I think it's more makes more sense to have a processor to processor arrangement that pushes the responsibility onto the processor as exporter. So it is leading to sort of just opening discussions and renegotiation around liability around risk there. My own sense as well as while for on a go forward basis, it's really helpful to have Article 28 covered in the the export to processor SCCs. And where you've been existing contract in place, you may have negotiated some very, some very specific provisions within the confines of Article 28 and meeting its requirements, where they now may be overridden by more general SCC terms. So I think that there may be challenges for businesses and organizations coming up. But I think, you know, it's not simply a question of filling in and executing those SCCs. There's a lot of operational pieces that go that need to be put in place around this. And I think probably the single most challenging element of Shrem's and the resulting EDPB recommendations from a practical perspective is the issue of transfer impact assessments and the degree to which business has now become responsible for that. And that's particularly in in relation to assessing the laws of a particular jurisdiction that you want to export data to. So, you know, if you take a step back and you look at the commission adequacy decisions, huge resources and time go into undertaking those analyses. And at least when you get an adequacy decision, there's certainty for the exporter that the transfer is within the confines of GDPR, and it's valid under GDPR. With a transfer impact assessment, you're effectively pushing that work on to the exporter. So there's a need to get local legal advice to understand what the legal position is in that jurisdiction. It's not just around law and practice, but you know, it is looking at all of the security issues as well. But that's been a real challenge, I think, for businesses in terms of understanding the extent of the analysis they need to do, what investigations they need to do. So having some kind of template TIA with more detailed guidance would be welcomed by industry. I think Chris made a very valid point in relation to the executive order, and that is that it's immediately relevant to these transfer impact assessments when you're analyzing transfers to the US. But as I said, at the outset, this is a broader issue than just transatlantic transfers. It does apply much more broadly. One of the other challenges I think we've seen is that where we've got businesses offering what are essentially commoditized offerings. So Cloud, maybe one example, the processor in that instance, or the importer, whether it's a processor or controller, very often leads the analysis in terms to supplemental measures, in terms to transfer impact assessments and shrooms to the decision there made it very clear that the responsibility rests with the exporter. So particularly I think challenging for SMEs, where they are looking to use what are essentially commoditized services, and they are more reliant and more dependent on what the importer is telling them, but still are taking on the risk and the responsibility. So that again is a little bit of a challenge. It's really a one size fits all solution. So some more nuance in terms of guidance, I think for SMEs, in terms of guidance for some of those products would always be helpful. The SCCs are, as I said, the most common safeguarding mechanism that we've seen. I think it's important to acknowledge that there are others. So BCOR is binding corporate rules which apply on an intergroup basis are there, they're useful. They take time to get through and they're very complex. And you still may need a series of SCCs sitting alongside them, depending on how your data flows. I think one of the other challenges that I've seen and that I have to say can be a little bit frustrating sometimes. GDPR does contain derogations in relation to international transfers. So there are a number of circumstances where you can rely on a derogation. There's been guidance from the EDPB which has really narrowed down the circumstances in which you can rely on those. That's not always helpful in terms of some of those exemptions and it would give more flexibility if that could be revisited in terms of looking at it. It's relatively technical but they've applied a sub paragraph at the end to all of the exemptions. My reading of it is it shouldn't be applied that broadly but that's a different conversation for a different day. I think then the other area that we've seen tensions arise and it goes to the points that both Chris and John were making around the fact that we need an international multi-jurisdictional conversation around this and the work that the OECD is doing I think will help with this. But it is that tension between legal systems. So it is the what we call long arm effect of laws in certain jurisdictions where they apply to companies established in that jurisdiction but also to their international subsidiaries. It puts pressure on both the local company but also the international subsidiary in terms of trying to comply with that and having an international framework where there are government to government or public authority frameworks that would allow for that pressure to be taken off business and spread to be dealt with through those mechanisms. So the mutual assistance mechanisms that are currently there I think would again help because we've seen in some instances some real tension there between the legal systems. I think anywhere that there's a lack of clarity and we still have lack of clarity in certain areas anything that the policymakers can do to assist with that and to giving more guidance more clear guidance and more structured guidance around the international transfers and how these mechanisms can work would be absolutely welcomed. There's a real risk for business you know there's a huge amount of work and effort goes into doing these assessments and into making sure that there is a safeguarding mechanism in place but it's against a backdrop where sometimes you're not quite clear and if you get it wrong the implications are quite significant both from a potential administrative sanction perspective but also just in terms of business and being told to stop doing what you're doing which is always a potential as well. So I think just to summarize I think you know the more certainty we can create the better but that will require multi-jurisdictional, multi-government discussions and it is something that is bigger than business in the sense that they need that framework. Hand back to you Una, thanks. Thanks so much Amory, great overview there and definitely I echo the comments around clarity and more guidance definitely on the industry side always most welcome. I'm not sure if Bruna has joined us yet so just in case he hasn't maybe I'll kick off but it would be a question and when I see him pop up maybe he can join us. So my first question that's come in Christopher is for you and I suppose it's the question on kind of to some of your comments what was the attitude of US intelligence agencies during the negotiations and you know did they express concerns about the kind of possible reforms or limits on intelligence gathering? As much as you're allowed I think. Yeah right there's very little that I'd be allowed to say about that. I totally understand the question now. I would say that these were significant changes and so all of the agencies that were affected were well aware of how they would be affected and so it definitely felt like more of an internal negotiation in the United States government than oftentimes. I mean of course it was a negotiation between the European Commission and the United States government but the work that had to be done internally was its own very large negotiation but it helped to have such attention to it. I was a political appointee there was somebody else from the White House that was dealing with it and then a whole host of amazing senior career executives who were dealing with it as well. So it was a huge team effort that required a lot of buy-in and a lot of negotiation from the agencies. It was tricky. Okay one question maybe to all the panelists and maybe could you comment further on the importance of the distinction between a formal data transfer framework to replace privacy shield on the one hand and the use of other mechanisms such as standard contract clauses which I know has been mentioned a lot already on the other. So I suppose really you know what is the distinction for maybe somebody who might understand. I can start off on that. I think from a legal perspective it really goes to the question of certainty because if you're operating under what is essentially an adequacy decision there's a comfort there that yes we all know they're subject to CJEU review but there's a comfort there when you're operating under a framework or an adequacy decision that's been signed off by the commission because the commission has done the work in assessing the risk. I suppose another question that's been Chris for I think you're being hit again. I suppose it's a relation to you know to what extent have any have your has your perspectives changed on these issues since you've joined Microsoft. Again whatever you're allowed to say. Yeah great because they both in both of these fast jobs you're you're I've had to balance how much to say about very sensitive national security issues as a government representative a senior official there and then at Microsoft where almost everyone in the world is a customer of ours was joking with John about that yesterday so but my perspective hasn't changed at all. I think that and that's not just about I mean it sounds for a moment like I'm talking about my own integrity and in part I am but the integrity of everyone who was involved in developing these new frameworks was really impressive everyone on the US side everyone on the the commission side everyone was trying their hardest and very honestly talking to each other about solutions that would work and the US government was trying to be as flexible as possible and so I was genuinely excited about the solutions that we came up with at the time I'm still excited about them so so not much has changed for me. Great thank you Christopher and we might pause the Q&A there I see Bruno has joined us so good afternoon and I'm delighted to introduce Mr Bruno Gincarelli as deputy to the director for fundamental rights and ruler flow and heads the international data flows and protection unit at the European Commission. Bruno I'll hand over to you to deliver some comments and we might have time then for some further Q&A. Yes and first good morning or good afternoon to everybody to the audience and my panelist and I apologize for joining only now but what is keeping up with me this afternoon and probably the whole night is something that you have been discussing this about this is about when we're going to table the draft adequacy decision on the new data privacy framework so it's never it's never good to be late but I think this time I have a good excuse and and unfortunately I haven't followed and heard what has been discussed so far I maybe we'll give some brief make some brief remark on where we are and why we believe this is important and then we'll try to start answering the question why we believe that this time this will work and where we are that's the simplest thing and we are at the stage in which in the coming days I don't yet have a date I think you are all of you are also ready to press the speculation that this is coming but it's tomorrow Monday or Tuesday or Wednesday this is coming and it's coming very soon we will following the adoption by the US president and the US attorney general of respectively a presidential executive order and an attorney general regulation that translates in US term the political agreement that was announced by President Biden and from the line presidents Biden from the line on the 25th of March of this year building on that we propose next week a adequacy draft adequacy decision and that will explain why we believe that now we are in a position to consider that the requirements set by the court of justice are highest court in the shamsu judgment are are free and that type of decision you know we're talking about the complex instrument is not an international agreement this is a unilateral decision that the commission can adopt on the basis of of course negotiation and and and commitments taken by the other side the other party in this case the US so that the adoption of that decision needs to go to a multi-stage process which provides first of all for the need requires an opinion requires a first opinion from the European data protection board as we know brings together the independent regulators of our member states then once we obtain that opinion we go to use the Brussels jargon commentology process which is a barbarian term to just indicate the fact that there is a committee composed of representative of the member states 27 member states of the EU that will have to look at this decision and vote on this decision and we need a positive vote of a majority qualified majority use another EU term a qualified majority of member states that would give us a green light support of that draft decision and this process is also subject to the scrutiny of the European Parliament which can request they ask the commission to either amend or even withdraw its once that process is all the steps have been done and the process is completed we the European Commission political leadership to the college of where you can come in the college of commissioner can adopt the adequacy decision that your next question with the yes fine but how much time or this will take when are we when do you expect to have that decision as you can imagine them all these steps are not fully under our control and widely so on that's part of the healthy system of check and balances they involve other institutional interlocutors that have control over their part of the process so I cannot give you a already at this stage a certain timeline but we have some indication that comes from recent presidents similar decision we have taken in the recent years in recent years on the UK as part of post-Brexit relationship or on Korea more recently and we also know there will be a lot of scrutiny and questions and conversation will be rich around about adequacy decision on the data privacy framework because we are coming after two judgment of the court and on a very complex matter so like looking at present this takes basically around six months so sometimes in spring looks like a realistic time we are not the only one who have formal uh in the with respect to this arrangement to this deal the US have to further implement to implement what the president instructs that's the executive order the president has instructed the executive branch including the intelligence community to do a number of things and until these things are done and these things are done to make those safe that's effective and I would also say a word on this and what is important and that's for instance includes designating the EU as a jurisdiction that benefits from the new redress mechanism it's about its and executive order addresses that are each and every intelligence agency in the US many of them have now to review the internal rules and policies to make sure they reflect the safeguards uh uh uh provided um under the executive order what is generally referred to as necessity and proportionality what when data has to be collected and to what extent essentially what necessity and proportionality is about the value of national security that's important because the value of this deal and of this data goes beyond the adequacy decision the safeguards in the area of governing access have been negotiated so that they cover all transfers from the EU to the US regardless of the mechanism or the transfer mechanism don't know if you have already discussed this but it's generally part of any discussion on this matters the the poor shrimp team shrimps to landscape has been a landscape mild by a certain uncertainty because companies had to assess themselves how to do how to carry out what is often called a transfer impact assessment and they were trying to figure out whether safeguards in other jurisdictions in this case the US were sufficient or whether additional safeguards had to be added to the use of certain technology to other uh uh uh legal or other protections well once uh the safeguards that are contained in the executive order will be in place any company will be able to rely on them to transfer that that's a very important we hope that that's how we have conceived it and developed it with our US counterpart that would be a very important injection of uh uh legal uh certainty into of course an absolutely crucial element of the part of the US of the transatlantic relationship so I will not enter into the substance probably for questions and you have already discussed the substance but that's uh that was a uh just to summarize where we are and where we are going uh uh uh from here and also let me I want of course to uh uh um say say how happy I am to be uh with such cool panelists but I want to say a special hi to Chris who has of course been my partner uh in a large part of this negotiation uh he left me too early and he left me in the difficult situations of I'm happy to see him but still but I just want to say uh and how important because a negotiation is also a negotiation between human beings it's about abstract uh uh legal standards abstract in the court judgment are very real on the ground and very important in terms of protection of citizens rights but it's also about how uh in such a negotiation two systems speak to each other find way to on the one hand fulfill the court's uh requirements on our side but also developing the system that is workable in the US and this is impossible to solve if you don't have all the human energy human creativity uh and engagement and that uh we had uh in this course and that's of course about human beings and one of these human beings uh was was raised I'm very happy to see him again in the panel. Fantastic, thank you Bruno and hopefully we're we're gonna chance to the Q&A for for yourself and Chris to respond to some questions and I suppose one thing that's come up um during the panels and opening remarks Bruno is that you know the Biden administration's new policy is an executive order rather than legislation passed by congress and from kind of Europe perspective or the Europe perspective does this make it you know reverse either changing the policy easier for a future president and would this be significant in the european courts who might interpret it as a weaker level of protection? There was problem, is your question about executive order versus legislation yes so um indeed that's a question I often uh uh here and I'm often going to answer what was important for us was the substance and the substance was about getting safeguards that are binding and that are enforceable so that's what the court is is asking us safeguards along necessity and proportionality so around again among in which situation can government access data for national security purpose and when data is accessed to what extent data access necessity and that those safeguards should of course be binding on the tensions community and invocable by europeans if somebody thinks considers that he's or her that in violations such as that's what we need to achieve your question is about the data whether they say that should be provided by legislation or by executive action in this case in exit book our answer to that is that that depends on the system we are talking about the u.s. system and not the only system in on this planet like this is a presidential system in such system a number of powers competences in the area of foreign affairs of national security in particular foreign intelligence belong to the executive branch and in particular to the president as head of the executive branch and uh as a commander in chief and this is not just a nice lesson lecture about comparative constitutional law this is how the u.s. system is structured and how many of the rules that govern collection of data by intelligence agency are today even before this executive government by executive testing executive orders or other therefore if we want to change the legal situation at the same time have an impact that's again the point about not only in abstract fulfilling requirements but making sure that those requirements are effective and are workable in a certain legal system and we needed to use that same vehicle which is the executive vehicle because many of the rules are again provided by a special in the area foreign judges are already set in exactly steps and that's why that vehicle has been chosen and yes there's always a risk that a legal system may change including when the legislation legislation also can also be a report a member and it will be an important it will be very important that this new deal that's what we are going to pose next day provides for and the possibility to react to such changes and that's what all our other procedures provide for because when you're taking another course in finding you always take another sub finding on a you're taking a snapshot of a certain legal system out of certain point of time and therefore you also have to have tools that address possible future divergence those tools will of course be included in the adequacy decision you will take next week. Thank you and I suppose that I might direct the next one to Christopher Bush and Bruno E. Michael in as well and so Christopher as Bruno mentioned that the importance of human relationships and how positive the relationships and interactions within the EU and US negotiation teams and where and what was there any sense of frustration maybe on the US side towards the EU and the perception that the EU has been excessively intransigent on this issue or that the US has been unfairly single day relationship to other countries. Bruno it is genuinely great to see you. I'm very happy to see you again and I share the respect that Bruno so kindly mentioned about Bruno and I think Bruno is a superhuman for lasting through so many international negotiations with so many different countries for so long so I'm impressed. I'm sorry I couldn't do it but very glad that we came to a political agreement before I took off back to the private sector. No I mean negotiations are frustrating and Bruno is a fantastic negotiator but he is not a terribly frustrating one. Some personalities are challenging out there in the world and I don't think that despite the fact that you know everybody gets frustrated in negotiations sometimes I think that there are such smart people and such people who are trying on both sides trying to come up with real solutions and not trying to hide things from each other. That's just where the tone of the conversation the administration the world that we're in that's how this negotiation went. I can't speak for the original privacy shield one negotiation or say Harvard but this one was though very very difficult was not difficult because of the people involved. I might have a question there maybe Bruno but Anne-Marie also to get your perspective on and I suppose you know what the implication of what happens with the EU-US framework is for other EU data transfer relationships I suppose the implication of that and I suppose to one degree are Bruno and Anne-Marie watching possible developments in the United Kingdom and possible future UK divergence from GDPR protections so am I hoping I'll horn its nice if I ask her that question. I can go first on that one yes we are watching that very closely so obviously we have the adequacy decision currently and Bruno has alluded to the fact that they are a snapshot it's a point in time and there's the mechanism inbuilt into GDPR for review of adequacy decisions and so that will be reviewed as will all of the other adequacy decisions in due course. Yeah there are certainly I think some concerns that if they substantially diverge from current UK GDPR which is essentially the same as EU GDPR that adequacy decision won't be renewed. It depends that they seem to have stepped back a little bit from their original plans in terms of completely recrafting their privacy legislation so I think it will depend on where they land on that and how quickly they land on that but it is certainly something that we are keeping an eye on and you know certainly from a contract perspective we're trying to as we did pre Brexit we're trying to anticipate and make sure that we've mechanisms built in to relook at international transfers that go via the UK if and when that happens. Bruno I don't know if you want to comment on that one. I think everything has been said very well by Anne-Marie and look I think the UK adequacy decision was adopted on the basis of the service system. The UK has an answer as a way to build with some changes and the new UK have been a lot of the series of different governments in a very short period of time but the current UK and new and current UK government is as we understand when taking a second look at that bill at the before. What I can say is indeed what I've said before is that certain consequences are attached to certain changes. The bill that was stable in July was a mix of different things things that were clearly clarification, bringing things to elements and explanation but before and certainly side was to the body of tax and then there are areas I would lie if I would not say that there are areas that are raising questions and concerns for instance around the independence of the UK and not of the majority, the ICO around certain aspects of the rule on international transfer to the people. We have of course communicated that we have very good contact with the UK on the parts and if those proposals would lead to significant changes that would have an impact on another policy decision that has been adopted on the basis of different rules not very different doesn't mean that doesn't mean that every different is problematic by nature but significant differences can be problematic of course if they have an impact on the level of protection that has been found out. Let me also say that the UK situation is a bit different from any other other policy process because in an elected policy process you have two systems that have different starting points and that progressively by working on a legacy bring the system closer. The UK the starting point as we know was very similar if not the identical system and then the challenge is about how you address a possible diversion and that's how you know that a decision has a sunset close and really in any case have to reassess the situation in the before deadline which is in June 2020 to see if the system that will exist at the time in the UK is ensuring a similar level of protection that the one we found adequate last year. Great thank you and so a question maybe for John and Marie and could you both comment further on the business implications that uncertainty related to this to this subject has caused to businesses generally and especially SMEs during recent years and how severe would a worst-case scenario be for businesses and I suppose particularly depending on the the stems that Ireland's data protection commission might take regarding the use of standard contractual clauses as in the meta case. John maybe I'll start with you just on that kind of the business implications of uncertainty and everything. Yeah sure and nice to see Bruno as well I mean one thing businesses don't like is uncertainty I think I think it's pretty pretty I'm pretty on pretty firm ground saying that and you know the reality is that yeah I mean the Shrems 2 judgment did cause uncertainty number one it you know it took away one of the transfer mechanisms that was in particular being relied upon by small and medium-sized businesses in the US and in Europe but number two I mean it did obviously throw into question the validity of other transfer mechanisms because of what the court said about you know US law in this area I mean and that's you know one of the things that that I think both the commission and the US government have made clear is that the intention of this new data privacy framework is that it will represent changes in US law that will be applicable obviously for any transfer mechanism so that's a good thing and I mean I think I mean I guess the one other thing that I would mention is that you know the instability that that was caused by the invalidation of the of the framework I mean it's arguably counter productive to improving the protection of personal data I think both from a company and a policymaker standpoint in so far as you know we've all had to focus on now how do you know it you know there have been very complicated data transfer impact assessments in terms of of what the court said and how companies but again I would say particularly under-resourced companies are they really equipped to analyze this very complicated area of US law I mean it's difficult so you know hopefully we will see this draft adequacy decision soon as you suggest Bruno and you know it went already I think with the announcement of the changes in US law that that has you know somewhat solidified some of these other transfer mechanisms but but we'll even have more obviously a much more better situation once the draft adequacy decision is hopefully ratified by the council and blessed by other stakeholders. Annemarie maybe to you just in terms of that kind of the worst-case scenario what that would be for businesses here. Worst-case scenario would be that some of these data transfers have to stop and and that is a really significant business issue in terms of business continuity for organizations and you know it's not something that you know if you switched off data transfers overnight it would create utter chaos you know and data transfers tend not to be people think of them as being linear but you know it's not it doesn't really work that way so that would be worst-case scenario would be switching off some of these systems and leaving you know potentially leaving people without an ability to continue their business without an ability to access their data that is sitting in one of the other jurisdictions so I think it would be something that would cause a lot of angst and that is the worst-case scenario I think in terms of just generally that there's been costs involved in all of this you know having to do those impact assessments potentially having to pay higher fees in order to ensure that European data stays within European you know so there are different offerings out there and but some of them come with as an additional cost there's additional risk around you know claims and admin fines so you know there may be insurance implications so ultimately a lot of this does come down to there being additional costs for businesses you know there's to be honest been a lot of pragmatism I think in terms of the approach business has taken they absolutely understand their obligations they are implementing the transfer mechanisms the safeguarding mechanisms and they are you know looking at transfer impact assessments they're doing that and then they're hoping that you know it won't be them that gets into the cross wire or cross hairs so that there's an element of pragmatism about it but it doesn't help when the downside is so significant. Okay and so John one question that you might you might smile at and I suppose you've commented that you know the executive order has led to to to legal changes in the US and you know the question is would it be true to say that EU law and the negotiation process has actually improved privacy rights for US citizens in a way that otherwise might not have happened and is this an example of the EU standard setting influence? Bruno says yes. No I haven't said anything. Bruno did you want to take that one? No I mean so I just want to make sure I'm understanding this question I mean has this whole process actually improved privacy rights for US citizens? I mean I guess I would say this you know I mean first of all it's the US citizens have privacy rights I mean just to clarify that what we don't have in the US is a you know a comprehensive federal privacy law certainly my organization I think industry writ large certainly the US many of the US government I think support such a law I mean I would say that one of the things that I think is a positive of this whole exercise right and the necessity of having this negotiation and even the executive order itself and this might also answer another question that I had seen in the chat you know the executive order as we've talked about it's it represents binding and enforceable legal changes on the US side right but it but it also expressed it's a very important policy in that executive order as well regarding both privacy you know and the fact that US signals intelligence authorities must consider the legitimate privacy interests of all persons regardless of their nationality or country of of residence and you know this notion that all persons have legitimate privacy interests in the handling of their personal info that is now you know I mean it is it is reiterated now in this new US law so I think from that standpoint it is you know reinforcing the importance of these privacy of privacy protections not only to US citizens but to use citizens and citizens around the world number one I mean the other thing that I would say because someone had asked about them that you know the US intelligence community and whatnot but you know that the the policy expressed in the executive order also makes it clear that that the idea but and the goal of US signals intelligence activities is of course to protect US national security but also to protect the security of allies and partners including including the EU you know I think we have all seen how important that you know that that is that you know this this kind of collected collective goal of protecting national security on behalf of you know democratic partners and allies over the past couple of years and I just think that that's you know so I think that's one of the reasons both privacy and national security why it has not been difficult to answer the question in the chat to get the US government and others to focus on this issue there's been a ton of focus and a ton of work which I'm sure Chris and Bruno could both attach to over the last couple of years. Maybe two short thoughts about this first it's different in this we are not talking here about privacy in the in the in the sense we generally think about it we're talking about a very specific area extremely important which here which are the limitations safeguards conditions under which government can access data in this case for national security governments government intelligence agencies let me say first it's difficult once to your question because it's difficult to compare the two situations because in the US there are protections in these areas that are available only to US citizens and US permanent residents and the whole challenge here was to build a system that extends some protection creates some protections for the area of national security when data is collected about four years including some of us and in the school so the big and I think John was pointing to certain aspects of executive order is that it's very important that you we're talking about universal protection that apply across the board regardless of nationality which in the digital which a lot of these legal authorities were developed in times where uh intelligence was not so much relying on data which is in the first place collected for other purposes collective commercial purposes and therefore in this in this uh globalized world these differences based on nationality and residents makes much less sense than probably they they have you were several decades ago so this universal approach to rights and to privacy rights I think is a very important element and a very important improvement for us but there's also a second aspect which is actually an encouraging aspect and unfortunately I've been dealing with these issues now for for some years and what I've noticed in my own personal journey is that issues around privacy have become much less ideological meaning the disc of conversational privacy between the US and the EU has become much less ideological we might not always agree we might disagree on how to get to certain outcomes but there's increasing understanding both in the commercial area that's why we see who is debating in the US around privacy legislation that federal level will ever happen but also in this area an increasing understanding that we need rules of the game and it comes to the collection use responsible use of that that's I joined this planet of privacy when we were doing the GDPR and we were trying to explain into the US why we're doing that we were told you haven't heard so then you think uh it's our day that nobody cares about privacy uh let the industry uh set some sets of time this has shaped completion and it makes our life a lot easier for example discuss and make progress for instance in in this in this conversation and it's also there's a lot of potential around that because when the US and the EU can agree on something here privacy that has a significance that goes beyond the bilateral relationship and I think the US is also very interested in this issue because it sees privacy as a component and element of the dividing line between like-minded democracy and other systems around the world which have a very different way of approaching issues around around data around the government access to that and and I think that's part of the broader picture and background and that's also why while developing this deal we are also being able to advance and with next week is the week of all this because next week the OECD digital ministerial will announce the adoption of a new instrument on the set of principle on governor access to that wouldn't surprise you that the amongst the many hands and voices that have participated to this work the US and the EU ones were probably the most important not because they are smart and the others but because they have a lot of experience in discussing this issue and finding bridges between the resources and the OECD document instrument that will be adopted in this week is unprecedented it's the first time in the national level that countries come together to define a set of requirements principles that apply to the way a government access that we have the flow enforcement, national security etc that's important because it's key to again inject trust to data flows and therefore trade and it's also important to show that we need to do this government needs to access data that we do it in a way new certain safeguards that are different very different from the way others do it and that's I think shows very much the potential there is on when the EU and the US agree on something and how this can indeed shape international standards and that will not have been possible probably even five or six years ago that I think shows the evolution and it's a positive one well that's a fantastic point Bruno and a fantastic summary a note to leave this webinar on and we've gone over time but fantastic discussion really really could respond to all the questions and the dialogue between you also really just want to express my sincere thanks to all our guest speakers for really sharing their expertise and insights with us it's an exciting space with a lot happening and but it's fantastic to see the positive note that we're adding on there and so we look forward to seeing the progress that comes over the coming months on both sides of the Atlantic also sincere thanks to RDA Ireland and to IIA for for organizing this series of events and thank you once again to everyone who joined us online and on the live stream and hope to see you again next week take care thanks a lot thank you