5 Years of EU’s General Data Protection Regulation: Impact and Lessons Learned

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

by a wonderful panel of experts today on this the five-year anniversary of the enforcement date of the general data protection rule or gdpr that is more commonly known which was a landmark European Union data Privacy Law that went into effect in May 2018. in the immediate aftermath of gdpr we saw a lot of conversation around the impact this could have on the global data privacy debate and particularly on the impact it might have on some of the US's leading technology companies as well as smaller players both in Europe and in the US we've seen debates over whether or not this actually improved data privacy over the impact that it might have on other rights like speech and innovation as well as questions about what this means for the overall debate and the US's role in technology policy as I mentioned I'm excited to be joined by a wonderful panel of experts today starting from my left we have Nathan linforce who is with engine we have Lee Matson from the future of privacy forum and then the end of our panel we have Brandon Pugh with r Street so just to get started Lee can you give us a brief overview of what do you think we've seen most over the last five years when it comes to the way gdpr has impacted the debate of data privacy um well for one I think I would actually push back a little bit on the idea that five years ago marked some sort of fundamental seismic shift in uh the data privacy space uh I mean the underlying principles of the gdpr uh can be trade that you see set out in Article 5 um with the you know principles of fairness and transparency and the the article 6 lawful bases for processing and the sort of rights that need to be guaranteed to data subjects in chapter two um this this stuff wasn't invented out of whole cloth in 2012 when the gdpr was proposed or even in 2016 when it was adopted um this stuff dates back to at least the data protection directive of 96 and in many in many ways I think even earlier to like that the 1980 oecd uh fips that we all know and love uh so well um so that's not to say that the gdpr doesn't represent any sort of change certainly it's a landmark piece of privacy regulation and absolutely affected the operations of businesses all over the world in ways that the the the preceding laws maybe didn't but I think it's important to note that it didn't just you know emerge out of a vacuum um and noting that I think that there's there's also uh there should be a recognition that looking at the gdpr and looking at you know both before and since the gdpr so many other International jurisdictions have adopted laws that are structured in a similar similar way there has to be there's some sort of consumer policy drive that's being responded to by regulations that are structured in this way um it's you know not just technocratic policy makers pulling this stuff out of a hat there's there's interest in people have like wanting to know what is done with their data wanting to have rights about you know either requesting deletion requesting access requesting correction you see variations in this model around the world but there's a lot of fundamental structure that's the same um I'm going to look at my cheat sheet here I think there's now 157 countries globally that have some sort of data Protection Law on the books and many of them including many of the most recent jurisdictions to adopt those laws have structured those logs along gdpr lines where you have principles-based obligations you have particular individual obligations to individual data subjects and then you have you know record keeping um data protection impact assessments outlined roles and responsibilities for data protection officers so I think I guess to answer what your original question was the impact on businesses and the impact on other organizations that function as data control controllers or processors is a formalization of what these roles and responsibilities are as more and more people and more you know just out in the world and more and more organizations become aware that there are legal and Regulatory obligations that go with processing personal data because the public demands that there be so um I think that's my initial take great well thank you very much and you mentioned that there are 157 countries with data privacy laws and one of those countries that's missing is the the United States we'll we'll turn to the to that discussion in a bit but before we do I can if you're a a small business looking to expand into an international market those are a lot of different regulations to to comply with when gdpr first came on board we saw a lot of questions about what this was going to do to competition what the impact would be on the the startup and small business sector Nathan I know you work directly with small businesses and and with some of those smallest startups what have you seen when it comes to the conversation around gdpr and small businesses and startups over the last five years yeah well first uh Jennifer thanks thanks so much to you and to the Cato Institute for for holding this event today really excited to be here uh with with my esteemed colleagues um and yes as you say um engine we're a nonprofit based here in in Washington DC we work with government and a network of thousands of startups across the U.S to promote pro-star Pro Innovation um pro-entre policy and one of those those policy areas that we work on a lot is smart digital trade policy make sure startups compete around the globe and data privacy startups to Lee's Point their users expect that that their data is going to be protected and used in ways that they expect um and and startups want to to respect that um but but at the same time there's there's a lot of Regulation and government uh that that says uh how in the manner in which that that occurs and gdpr I think um in in many folks minds and especially those in operating in Europe um is is kind of like the first uh kind of brought this to the fore in in more recent times um though as you say not new um so let's just uh walk through like initial impact reactions from startups uh following gdpr's entry into Force thousands of companies large and small left the EU market or use Geo blocking technology to prevent EU users from accessing their services so we were just joking before this panel you wrote an article and your friend in Europe couldn't read it because the newspaper wouldn't allow EU users EU citizens to to access their their papers website but like all your LA Times and your West albums of the world have gotten on just fine um here in in the aftermath many startups haven't returned to Europe or maybe shut down altogether and in fact gdpr reduced exit of about a third of available apps in the App Stores You could argue that those are probably some of low quality and is probably a good result but probably not all of them right and so there's there's some loss there um and and the other side of this is some some people like to insinuate that oh well they left because they didn't want to comply with gdpr um I'd actually argue business wants businesses want to comply we kind of started our conversation there um but you know the reaction is really of leaving demonstrate that they want to comply because you know the the economics um laboring under the risk of giant fines um you know the initial compliance costs of of gdpr several hundred thousand dollars to to for for startups to several million for for larger organizations um is is just too much for for for you know maybe a startup that doesn't have enough users to justify um spending that those costs so they leave or delay their their entry um and I'll pause there so we can hear from Brandon great Brandon I won't turn to you I mentioned that one of those countries that does not yet have a data Privacy Law at least on a federal level is the United States I think five years ago there was a lot of optimism that that we might see a a U.S response something that would perhaps have a more free market or or a less regulatory approach to data privacy in the five years since then we've seen data privacy laws emerge at a state level and now it seems like we we may have a a new amount of momentum for a a federal data Privacy Law this you know in combination with the fact that we see in polling that data privacy kind of remains the technology policy issue that Americans are are concerned about and so I was wondering what do you think U.S policy makers can learn from five years of gdpr as they consider a U.S federal data Privacy Law well Jennifer thanks for having me and of course the Cato too beautiful facility by the way I was just saying I I've long followed Cato but I've actually never been to to your your headquarters here so great to finally be here but but to your point let me start on a positive note I think gdpr did Advance the Privacy conversation there's a lot of lessons learned from it and I think it did definitely it the further the Privacy field between the number of vendors a number of people working in it so I think that's good but it is not the perfect law by any means and I'm routinely asked to this day should we just implement the gdpr in America and that would be just the solution my answer is no not to say there's not takeaways and key lessons learned that we couldn't adopt but It ultimately is not the balance that I think nor the archery Institute thinks uh is correct and really what I mean by that is finding a balance between industry consumers and security but to take a step back before I go into specific examples um I know some of the people in the audience are already experts but just to set the framework of what we have now and maybe where we would go to Jennifer's point State action is happening at an incredible speed matter of fact actually quicker than I had thought not only will we have five state laws either go into effect for the first time or update this year we also see a number of State legislatures aggressively acting in them it's it's very likely we'll see maybe 10 or more state level laws passing or being in effect this year add to that the desire by federal Regulators to act in this space the Federal Trade Commission started their advance notice of proposed rulemaking with 95 questions regulating everything from targeting advertising to security I realize that may be scaled back or it may not go forward with all 95 questions but that's still happening um meanwhile we don't have a federal standard Congress is still my view is still very interested in it we see tremendous momentum especially last congress with the American data privacy and protection act or adppa adpa however you'd like to say it um and it passed out a committee with 50 32 votes there's very few pieces of legislation they can get that type of the support not to say it was perfect in every sense but I think it was a significant step forward and it really aimed at compromise like I think there's no bill that can be perfect for everybody but I think seeing where that middle ground is is important so as we move forward what shouldn't we do that the gdpr did or what Lessons Learned I'll expand upon these as we go but maybe just a few that stand out I think ultimately my view maybe I'll sound a little cynical with a lot of EU legislation is very Regulatory and very enforcement heavy and I don't think the gdpr is any exception I think with the number of fines that have come out most recently with with meta the other day which I know we'll get into the goal should be to increase privacy increase security and increase the the just the general field not to be a very regulatory enforcement heavy approach and I think that is in my my view the the direction to gdpr has has unfortunately went and I think that's important because when we think of what is the enforcement mechanism in America do we want to see four percent uh fines or do we want to see something that's more modest maybe to still deter the behavior or penalized Bad actors but not necessarily shut them down I also think that we need to be mindful to to your point that there are businesses of various sizes we like to just lump everybody into just massive companies massive International corporations of course they exist but we also have many small actors so I think any legislation we need to do here I think we should make it more nuanced to go after the fact that we have many small actors in this space and their compliance capabilities may not be that average 1.1 million dollar figure that we we see often uh the case maybe two more points uh harmonization uh that is key especially for the U.S I think any action we need to it should be one Federal standard that way we don't have this Patchwork that I was alluding to before I think that that is really hurting um businesses and more importantly it's hurting consumers because more likely than not you're you're in this room and you live in a state that doesn't have a state Privacy Law whereas in GPR many town of that is the uniform standard maybe some would disagree with me on this stage but we've we've seen variations we definitely see different levels of interest and enforcement actions we've seen different interpretations so I think that is something to be mindful of as as an American Standard rolls out and something of course that's near and dear to me is is security protecting the data once it is collected gdpr does have a section I actually think some of the more American proposals we've seen more recently have gotten the balance uh better and why I say that is if you looked at the draft legislation from last Congress it eluded the fact that not everybody has the same data privacy and data protection needs you may have limited amount information but it may be very sensitive but on the other hand you may have a ton of information but it not be very sensitive you may have strong compliance and Security Programs in place already but you may not have the capabilities so those sound like just like legislative drafting considerations but they are significant and I think that's something to keep in mind as we you know move forward in the U.S I just want to give all of our panelists a brief moment if there's anything that someone else said that that you want to respond or we continue with our panel and our q a yeah well I'll underscore the what uh Brandon was just saying here on uncompetitive impacts and instrument impacts on large and small companies um just going back to gdpr startups saw reductions in profit by more than 10 by while larger companies were relatively unaffected that's a competitive impact that's disparate between between company size and then a few other ongoing impacts U.S startups foregoing EU Market altogether or or delaying a lot longer that's not just gdpr I'd argue it's it's a regulatory environment Rich large investment in startups with EU exposure has been negatively impacted so it's just one example there's a pretty Innovative travel software startup internet work they among other things you know help break down language barriers hope you have a better trip et cetera Etc but every investor meeting they take they get asked not not just about gdpr but about you know things like the DSA and the coming AI act and that that weighs on on an investors minds I think it shows that and but also they've struggled to raise um from folks that are they're apprehensive about about investing in folks with with International especially uh given the current uh International environment and then a final thing I want to say is that in relation especially to a national framework right now I think we see gdpr as a standard but not not necessarily in the way that uh that Lee was talking about with the Brussels effect but also see it as a private standard and and what I mean by this is um software as a service startups is startups that that mostly sell to business uh business software um selling to large multinational businesses just like a lot of startups I think something like 60 of startups are our B2B SAS companies um they often have to complete a 30 third party risk assessment before they can you know provide their their services and actually win a contract and oftentimes large multinational companies because they have EU exposure or might use the software there they base their or even if they don't um they base their third-party risk assessment upon elements of the gdpr and because U.S startups aren't necessarily familiar with this if they haven't operated in the EU before or thought about this thing called gdpr before this can be a significant barrier they lose out on opportunities or they spend a lot of time and resources not just something like 20 of the contract usually 10 to 15 but but the highest number and in our latest survey of our startups was was 20 of a contract on on these costs so um I think that could be solved by a a national uh standard here in the U.S from both directions one the large companies would have a U.S standard to look to and startups would be familiar with it so um just uh a plus one for a U.S uh uniform Federal privacy standard yeah um I I'd like to interject there on the end of that too at the risk of sounding like uh um uh a repetitive uh demagogue I guess um I think that you know you you can look at the development particularly of the patchwork as you've referred to it we love talking about the patchwork my colleague Kiera Lamont has done a lot of work tracking the development of State privacy legislation as the federal government continues to do or not do its thing although I know he hates the term Patchwork he's like it's way overused so when I say it I think Akira I'm like sorry uh yes um but you know the reason that's happening is the underlying demand from I mean voters uh politicians wouldn't be interested in regulating in the space if the public wasn't interested in regulating in the space and if the choice is between the patchwork if that's what we're going to call it or effectively aside from whether or not you're captured by a sectoral federal law no rules it's seems like legislators are willing to jump into the mix as long as you know the federal legislative lawmaking process remains stuck I think similarly Federal Regulators are relying on rule making Authority for the same reasons um you know I I can't speak for the FTC but uh if you made me guess I'd say that they would prefer to have a new federal law that laid out more specifically and more recently their rule making Authority in this area and maybe provided them with some more resources but you know we don't have that yet so now we have the basically the process that you described happening um and similarly to address some of uh what you said about the the post's enforceability effect of the gdpr on I guess the SAS community and particularly the startup Community many of which I think it's worth noting um our you know mobile application service providers or something like that you noted uh it was something like uh something like a third had fallen out of uh uh Major mobile application distribution um entities one of the things that happened after the the gdpr became enforceable was also that the developer terms for both um the Google Play Store and the Apple App Store changed and there was likely more private interest in requiring entities that had posted things to the store to comply with the terms that had previously existed prior to my my role at fpf I was in I was in private practice and I can tell you that when we were doing compliance work with entities that were interested in that sort of business um there was a significant change in what the view of the the platforms themselves was uh like the Google Play Store and the the Apple App Stores of the world and their relationship to entities listing their products on those stores so I don't know if we're looking at a phenomenon that's solely just like the the Iron Fist of the regulatory apparatus crushing Innovation on the internet um there's there has to be some sort of some kind of middle ground in terms of the regulatory space um and I I I'm no means up here as a gdpr evangelist claiming that it has you know no problems and there hasn't been uh any any issues since the regulation became enforceable um there are a number of things that we can talk about later on that front but um I I think it's the most the the most important thing that I would look at is the underlying public demand for something like what it does I think also driving the Brussels effect that you referred to the adoption of gdpr-like laws in other jurisdictions that wouldn't be happening if you know it's not purely I think for the ease of pursuing adequacy findings from the EU commission although that is undoubtedly part of the consideration um it's also because that's a model that has proven at least somewhat predictable and how it functions from from a regulatory perspective um as I say I want to bring Brandon into this conversation just before before we we turn to to some very interesting questions with that we'll dig deeper into some of the these issues as well no I'll be quick because I know we'll get to it later I would say this really underscores the need for the U.S to take action now because apps in that I don't blame many companies for voluntarily following a gdpr it's a strict standard and chances are it's going to meet a lot of other International Frameworks the unfortunate is it's not a pro-innovation American view on how Tech and privacy should be regulated my personal personal take at the same time that's also the reason why we see Federal Regulators acting because we don't have a standard so I would prefer to see Congress in the driver's seat setting forth like what an American Vision on privacy looks like rather than the EU dictating what American companies follow in almost all cases and in a federal agency taking step forward not to say there's not a role for the FTC like I I think they should have they definitely have a role but I think Congress should be dictating where the role is and I think we saw that with some of these you know the the adppa last Congress Congress gave them Lanes to do rule making in and kind of said we'll act on security help flesh out these other errors I think that's phenomenal Congress sets Division and agency provides expertise in line with Congress and there can be some oversight so one of the once I can jump in here before you Jennifer I think that's exactly the the middle ground that Lee was talking about right is um not so much gpr's fault as as the vacuum of a of a U.S standard um in my view and I think for a lot of startups as well so we've seen over you know the Brussels effect and European standards versus American Standards and in a number of tech policy issues some of which actually do intersect with the gdpr and the data privacy debate as well I'm thinking about some of the very exciting technological innovations that we've really seen take off over the last five years I know in 2018 we were seeing conversations about can blockchain comply with gdpr but in the five years since then and particularly in the last year we've seen this rapid emergence of artificial intelligence and particularly of generative Ai and some new questions raised around that I know there were a lot of concerns about could chat GPT comply with gdpr I was curious what are your thoughts on the way that some of these disruptive Technologies may be impacted by gdpr and on that underlying question of things like can AI comply with these European standards um I guess I'll I'll jump in first um I mean one uh we for some of the the newest stuff I mean if we're talking about uh chatgpt or it's contemporary is another large language models or other Foundation models it sort of remains to be seen exactly what the Technical Solutions are for enabling compliance with with something like the gdpr with with consumer rights like the right to be forgotten interacting with you know a massive training uh data set that may include personal information and like how does one go about implementing you know unlearning something that a model has learned after a user submits a data subject submits a valid uh uh uh write a request for deletion um but I also I guess I would caution everyone from thinking that the sky is immediately falling I mean there is a risk assessment model built into the gdpr based on the purposes of processing there's a process in place for determining you know what types of processing based on their purposes qualify as high risk what sorts of documentation is necessary what sort of transparency and disclosure options are necessary I do think we run into more difficult territory when we're talking about providing meaningful information about the logic involved for example which is a transparency obligation for automated decision making under under the gdpr and what that means when we're talking about you know llms like like chat CPT where we might not necessarily be able to do that in a way that's you know human intelligible um that that sort of Black Box problem is not new to llms though a lot of a lot of AI uh tools and AI implementations have that issue generally and frankly I think that's a problem um to to to to steal from an argument that a colleague omertai of mine made a couple of days ago AI is not just a privacy problem I mean there's a there's a bigger issue here where the the purposes and the functions of these tools I mean there's there's competition issues there's I guess like issues of the effect on basic Democratic principles in terms of the availability of misinformation versus interest in preserving Free Speech rights um so for these new technologies I I don't think it's it's just just a privacy thing um I do think that uh as my friend here alluded to earlier uh the gdpr is not the only thing to look at in terms of the regulatory environment for uh AI Technologies particularly Foundation models or or other large language models there's also the forthcoming AI act depending on the scale of the entities that are putting these tools into Market they may be subject to the the Digital Services act or uh the digital markets act in the EU and you may see similar attempts I think emerge around the world to similarly especially I guess put in a special regulatory category uh entities operating at a certain scale which I think is probably the the if you break it if you get really reductive about what the dma and the DS the DSA are doing um you know when you have these gatekeeper entities or these very large online platforms like that's the thought behind that from a regulatory process is that you're in a separate space once you're dealing with the data of 45 million EU residents then other the entities in the market which to both of my my colleagues up here is points uh is a recognition that you know there's a difference between a mom and pop SME and one of the largest tech companies in the world uh in terms of what their relationship to regulators and governments should be so that's a long-winded a long-winded way of saying I guess it depends as we lawyers love to say I would actually expand this question a little bit too for our other as you know there's an interesting phenomena where while we have these data privacy specific laws and regulations like gdpr we also see various data privacy or data security regulations pop up in kind of other places and sometimes it seems like there could be potential conflicts between this I'm thinking of something in Europe like the digital Market acts requirements with gdpr but we've also seen this with with proposals in the U.S of of questions of can state laws comply with each other how different state laws May comply with gdpr how different regulations proposed around topics like online content or youth Online safety or AI may impact data privacy of of individuals as well I was wondering if if Brandon or Nathan I'll turn to you first if you could speak a little bit of how do companies and consumers consider those potential conflicts and do you think there are potential conflicts between the things like the the dma and the gdpr eneur either way I don't have much to say on conflicts but in terms of the overall kind of landscape we touched on this earlier I think um just startups are nervous and investors and startups are nervous and I think when it comes to to learning from consequences of gdpr which may be why we call this like gdpr at five right um I think some some of the European policy making might be continuing a pattern of not unintended consequences but maybe maybe disregarded consequences for for startups in particular um when it comes to Tech policy so you know last year startup saw this in the DSA so the DSA burden startups with obligations that today's encumbent never shouldered at that stage things like transparency reports user appeals and facilitating that those and more not saying that that they shouldn't have to figure that out perhaps they should but but comparison for size we talk a lot about disparate impact between large companies and small companies comparison for size Facebook first release to transparency report in 2013. it was worth 139 billion then it first allowed users to appeal removals of photos videos and posts in 2018 it was worth 374 billion then it had 35 000 employees a startup with 50 employees which is every large or every startup large enough to to offer user-generate content hosting in Europe has to do that and War under the GPA or excuse me under DSA so like GPR there's going to be some disparate and some competitive impacts here when we think about start of success in the European market particularly for U.S startups this is going to be a barrier increase and kind of the the continuing the pattern we saw maybe with GPR and maybe we might see with with the AI act as well but Brandon um answer her question more directly complex no I actually have answers to both and I'll try not to make this a monologue here but let me first start with AI and I say this knowing my colleague who is and a true AI expert is in the room Adam fear but let me let me uh nevertheless copy him anyway so um I would say something I push back with AI a lot is AI is not a new technology it's been around for years matter of fact we use on a daily basis I use it really just to get here using Apple Maps and Google Maps um I think it's gotten a lot more prominence now because generative AI is part of the conversation like these chat Bots that we're seeing that's the reason and secondly I also push back not saying that either one of my colleagues here said that's push back against the notion that it's like a wild west and there's nothing um there has been a lot of great studies and a lot of great research put into AI governance already uh both on the corporate side corporations voluntarily studying this and holding themselves out the standards as well as different trade associations and non-profits have also put that out there and then most recently with nist nist has done a phenomenal uh framework around AI building on their privacy and their cyber security framework so there is it's not like we have nothing out there and I think that's the notion that a lot of people are unfortunately taking is whether it be on the hill or in the media and I think that leads to a point that between gdpr and whatever the United States does we did take into account Innovation and both adppa and gdpr they they call them different things but they essentially have different reasons and different bases for collecting data and that's really key to make sure that whatever we do in this legislation is not hampering innovation of tomorrow we may not know about a future need I'm not saying we don't have any guard rails around data and it's collection use and sale but I would hate to see technology and business practices hampered because of something that is very rigid um to your to your most immediate question there are exceptions but generally if I had to characterize a lot of the EU action I would say it's it's very regulatory based very enforcement heavy and generally produces less Innovation there's definitely exceptions to that and I think like I like I tried to start with there's benefits of gdpr but I would say to take the digital markets act in particular to connect it to cyber security because that's ultimately where I spend a lot of my research interest there's been definitely cyber security concerns around that a lot of it has been couch in the sense of like let's promote competition but along with some of the specific Provisions which you can get into if there's interest they lead to data potentially being disclosed it leads to hampered cyber security practices so those are things that we don't necessarily think of and I like to think even like antitrust action in the U.S I don't think that's the intended goal ever but we do need to be thinking through these unintended consequences so one day earlier this week I opened Twitter and in my trending was hashtag gdpr as much as I would love to believe that that was because this event had so much desired attention on it the the reason that hashtag gdpr was in fact trending was the announcement of what is the largest fine today in an action against meta or more commonly known as as Facebook that was both a potential was both a retroactive fine that was the largest Vine that we've seen but also has many other questions raised particularly around the status of EU us data flows we've seen in the five years since gdpr the death of what was known as privacy Shield which had was what had allowed a lot of these data flows to occur in the past we've seen an executive order that that seems to attempt to to remedy this situation but we're now in this kind of point of uncertainty and particularly given this most recent action I was wondering if our panelists could speak a little bit about what if any concerns are there currently about the ability of U.S EU data flows for companies of all sizes and what if any framework is needed in that regard uh well this is a subject that's near and dear to my heart uh so I can I can at least start us off um for one I'm going to shamelessly plug some of our own work here we actually earlier this year um published a comparative report looking at one of the main uh transfer Tools in this space specifically the transfer tool that the recent um enforcement action against meta found their use of to be invalid which was comparing the eu's standard contractual Clauses with other uh contractual documents that have been put forward by other Regional entities um The Association of Southeast Asian Nations and uh the ibero American data protection Network um also both have model data transfer contract Clauses but I guess to set the stage for this discussion a little bit here um I I think really underlying this long-running uh series of enforcement actions and lawsuits about lack of enforcement actions and decisions by the cju is there are two fundamental agreements that are happening one there's a disagreement between the EU and the United States as to whether or not the United States government laws permitting government access to personal information held by U.S companies meet the necessary and proportionate language that is is required by EU data Protection Law and and ultimately according to the cju the European Charter of fundamental rights and then also within the EU whether or not the same is the case I mean you have I would say not even privacy Shield is the first step you you go back to the one that we always forget about the the Safe Harbor agreement everyone says the new data privacy framework is privacy Shield too and no I think it's safe harbor three and and this predates the gdpr significantly I mean the first if we call them the shrimps cases after uh Max schrems of uh noib um the first lawsuit predates gdpr it goes back to uh allegations that still against Facebook but that transfers to the United States violated obligations under the data protection directive and that's what brought down the Safe Harbor agreement and then its predecessor privacy shield now this new one um you know I've been uh and and me and my colleagues have been uh plugged in at various levels of the just sort of ongoing negotiations around the new DPF um and the fun the fundamental objections that the CGA EU had if you boil them all the way down kind of deal with one whether or not U.S uh government access to personal information is necessary and proportionate and two whether or not there is a right of redress available to EU citizens that uh they they need to have per the the charter and per the gdpr and whether or not the new executive order and it's accompanying Department of Justice regulations creating the data protection review Court um will satisfy that I think is an open question I think we we already know that given that there's been a draft of an adequacy decision already promulgated by the commission for comment it's likely there will be a finalized adequacy decision based on what the United the steps the United States has taken and that as soon as that happens there will be another lawsuit uh by nyob so the real decision will happen after that uh complaints and subsequent suits and the whole procedure is followed and we get back in front of the court of justice and the European Union and the real test will be whether or not that body thinks that the changes from where we were with the Privacy shield and the Ombudsman that satin State and the procedure that was available then versus what has been established now is sufficient um yeah no I you want to go first sure I'll just uh just to add to what you're saying and and and and to paraphrase James Carville it's it's the spying stupid um like with the recent medicates for example um I think you know elements of the U.S national security apparatus are mentioned like 200 times and fisa 702 is is almost half of that um U.S surveillance as as you just just alluded to contributed downfall of privacy shield and safe harbor for that it's going to be at issue um when trems challenges the DPF later this year and then when that works through over the next several years um say for Section 702 is up for reauthorization this year so to answer what policy makers maybe can do maybe this is an opportunity to to satisfy some of the the not only the civil liberties uh kind of concerns that that civil liberties Community has but perhaps also kind of this secondary trade impacts that that we see and it's really really important to solve for startups whether it's through you know uh the the DPF being put into place um so that there's a legal transfer mechanism that can be relied on relied upon by startups to facilitate uscu trade um you know something like 70 percent of the Privacy Shield participants were small media size Enterprises and starbs face a lot of a lot of costs after you know July 2020 um when when privacy Shield was invalidated they had to change to standard contractual Clauses they lost uh contracts and clients in in the meantime um and and secs aren't exactly uh cheap to to facilitate so um I'd say you know for folks uh I'll lose my directions here for folks up there um that that care about opportun entrepreneurship care about startups um yeah folks in the Commerce Department need to be you know working with their their EU colleagues to to make sure that the adequacy decision and the DPF has put into place as soon as possible but there's a role for Congress to play here too whether that's with 702 or or or or or other putting those mechanisms in EU in U.S law in other ways than through an EO yeah I would say um unfortunately it does seem like we're in this reoccurring cycle where we find a solution then it's challenged then it goes away then we find another one to challenge it goes away it's this never-ending cycle I do think that's ultimately bad for business and that's the problem is there's limited certainty even especially where we are now like I think it really put starts to clock to finalize this process because we could see a very real scenario than a period of months where beta flows just stop like I know a lot of people say maybe I'm an alarmist on data localization some of the threats around there but that's a real risk and to the points that Nathan shared earlier like there's a risk that maybe companies will just stop doing business in certain areas or just have entirely different business model it'll become a specific product for for one company or one country rather and I would say like I'm not saying this is easy to solve I mean look at the 702 alone in the U.S there are so many different opinions around how that should play on one hand we want to completely stop 702 have it not even be a investigative tool on the other hand let's just keep it as it is and maybe even make it even have more ability and then there's this you know hybrid maybe keep it but reform it in some modest ways and we don't have agreement on there so it's not surprising that the EU looking into our apparatus here would be questioning that and a fair point and this is a criticism I actually hear a lot by EU colleagues is that you don't have a U.S data Privacy Law so how are you in a position to tell us that you're adequately you know protecting data I know a lot of the concerns are more in the National Security side and they're going to maybe conflating to but it is a valid critique to build on Brandon's point there I I think that there is um a significant element of that particularly in if we just look at the uh the statement released by the European Parliament uh uh last week I think the as they uh came to uh uh also you know lots of busy things happening in that body uh they also came to their uh their compromise text for their version of the AI act for trialogue negotiations but um talking about potential adequacy uh and U.S actions in relation to this sort of of ongoing data transfer problem one of the things that they cited as a concern was the lack of a U.S federal data privacy now even if Congress asked something like that wouldn't let also contain 702 amendments and what goes on with other key you know core National Security authorities like EO 12 Triple Three is up to the White House um but I I think yeah it's it's not something that we can ignore as far as domestic policy in this country goes and our relationship to not just the EU but increasingly other countries you know I don't know if this is a next year problem or a five years down the line problem or ten years down the line problem but a lot of other countries that have Brussels affected their way into a National Data Protection Law that looks like the gdpr and contains cross-border transfer restrictions or requirements that other jurisdictions be assessed on the basis of adequacy or essential equivalency or whatever the the the phrase of the day is I mean that may start coming up you know it's not just a transatlantic question there are a lot of jurisdictions particularly a lot of growing major economies in the global South uh you know for example the lgpd in Brazil a huge you know the largest economy in South America uh there is a similar provision there and other economies elsewhere southeast Asia and Africa uh those jurisdictions are adopting similar data protection rules and those concerns are not going to evaporate I know there are plenty of things we could talk about we haven't even gone into you know half of the questions of of trade-offs with with these kind of regulations or things like that but I do want to bring our our audience into the conversation both online and and here in person if you're on joining us online you can join the conversation and submit questions for our panelists either directly on the event webpage Facebook and YouTube or on Twitter using the hashtag Cato technology and while if you are here in person if you'll raise your hand we do have a microphone going around so that those people online as well as our panelists will be able to hear you but I'm going to start with a a question from online this comes from will via social media and I I think it's a good reminder of the consumer experience of gdpr has anyone estimated how many hours days or years Humanity has lost clicking through gdpr notices like cookie pop-ups I I asked this I don't expect any of our panelists to necessarily have a a calculation although I'm very interested if they do but for some people who might not be as familiar with with the kind of legal questions we've raised about gdpr or the the policy questions what has has the average American Consumer experience of of gdpr over the last five years I have a fun possibly a Pocketful answer to this question it references what is now a number of years old but a Carnegie Mellon paper that um and I'm pulling this off the top of my head so you please don't burn me at the stake if I'm wrong but uh uh there was an attempt to calculate the amount of time that it would take to actually read at an average reading speed of all of the terms of service agreements and privacy notices that the average American interacts with over the course of a year and it was something like like 16 full 40-hour weeks it was something ridiculous um and I think that that demonstrates I mean there is a question for one to the cookie notices question there's that's several regulations interacting that's gdpr that's the e-privacy directive which may one day be replaced by the e-privacy regulation who knows um but there's a question of like are the Privacy notices for every consumer or are they for Consumer advocacy groups and non-profits and if someone is curious about something that is happening the ability to go back and look at a disclosure that affects them um you know I will fully admit as a a person who's done privacy work as a legal professional for my entire career I don't read most privacy notices in most terms of service agreements but sometimes I do and you can always go back and and look at them and so I I imagine that's the the common consumer experience I mean we all know like the the notice and choice model is like the emperor is naked of the Privacy world like most people don't actually read through each terms of service agreement with great detail um so maybe less time than will on uh Twitter thinks has actually been spent reading these things um but that I don't know that that invalidates their utility entirely to have uh regulations in place that require them to exist yeah I think we'll ask that ingest or or I hope he wasn't asking for a serious answer because we probably don't know but I think he hits on a fundamental Truth uh uh for for startups about um the the consumer experience and that is when you add a layer to actually accessing your service the amount of users that that stay with your Service drop um and so we talk about isn't going to be a broken record you're going to say this is the guy that talks about disparate impacts between large companies and small companies you know large companies you've used them before you're willing to click the boxes and read the notices you come up across a startup that provides a service that sounds like maybe you'll use it maybe it'll be beneficial but then you have to click through all these things and read this notice um you know startups in our Network when they Implement these sorts of measures they see their conversions drop by 50 or more just the amount of people that initially were going to you know clicked into the thing and then decided you know what never mind I'll go use something else and so that's that's an unfortunate consequence for for startups and I think that's something that we have to think about we when you say that the the emperor has no clothes well we should we should figure out uh how to solve for that yeah I would say it's this is like a great privacy job interview question kind of like you know how many golf balls fit in an airplane like this is like I'm stealing this question but what I would say is you know I shouldn't admit this but like I I get so annoyed by them it's not a matter of clicking deny or accept now I'll just accept the screen being gray and having the pop-up just stay there and scroll down and read the context maybe that's like I don't know maybe it's just easier to click than I but um I would say this is a good point for for America and the United States Congress to consider as we're implementing it is that what the model we want the United States or we'd rather look to a more structural and solution not to say there's no value of of notices I think there is some value but should we follow the gdpr's model I would say no I'd like to see if we have any questions in our are in person audience it was one of the average computer consumers that you folks probably today don't have time to get into it but I'm always struck that of all this sloppy data protection that's out there it gets into the Criminal part and I'm not even quite sure what the dark web is but I know that much of my data is there and I think a lot of it got in there by the big hacks at the basic credit companies and more recently T-Mobile people like that but a couple of questions that may sound naive I'm curious I don't remember hearing ever even though I get warnings every day on my internet about all the dangers that I have to do to protect myself I don't know whatever who goes to jail for this I bet you're not one person from Meadow went to jail for that huge fine and how do we look into that thing and then the other question is how big is the industry that's out there protecting us from all this danger that I am supposed to give money and time to every day when I look at my internets and how much are they actually lobbying to keep the mess going and blocking Congress from doing effective protections for both individuals and especially small businesses which you made a good point and even large businesses so I I if you don't mind I I love your questions and I actually get asked on a daily basis I run a cyber security team why does the cyber security team own the data privacy and consumer privacy issues and I think this is exactly why because you know it's one thing to regulate around collecting data but we need to make sure the data we do collect is secured because if it's not we see adversaries using it like China just as one example we see criminal actors and a host of other issues that can lead to identity theft future crimes future cyber incidents so it is a mess and I think that's the real risk if you are not in a regulated industry like you know hippo with health care or glba with Finance largely speaking you don't have rules surrounding how your data has to be secured so you can free freely collect it and there's no safeguards there are some exceptions FTC may come after you if you've said that you are protecting it in a way and you're not you don't follow reasonable security but generally speaking there's no Baseline and I think that is to me was the selling feature for a privacy on the US is that there would be data security safeguards and what they call administrative Technical and physical all that meaning is you do have to have measures in place that are appropriate to safeguard the data you do collect because of the fortunate reality is data breaches have went up um and unfortunately they are becoming more severe and we've seen this actually happen in real time um just within Russia I know this is in a Russia Ukraine panel but we've seen Russia maybe both sides but mainly Russia has it amassing this super sensitive data to Target individuals in the conflict going after for either disinformation or for physical violence so this data does have value outside of just being annoying because somebody's spending you spam same mail so I see an urgent issue um and I can piggyback a little bit onto what Brandon said uh to your specific experience um I I'm revisiting my former life as a private practice attorney doing privacy and cyber work um did a fair amount of incident response and the way that our system is structured is they're under state law which usually governs data breaches unless you're in a federally regulated space typically there may be you know civil liability attached to an entity that's behaved negligently in securing its data but in terms of who goes to jail for this we only attach criminal penalties to the attackers so the advanced persistent threats to the criminal actors who are actually you know trying to break into the data and generally speaking those I mean those people are often not in reachable places it depends on the it depends on the problem it depends on the breach but you know this is the difference between a state data breach law that may have a negligence requirement may have uh personal damages uh element to it if a company has behaved badly uh and the the federal Computer Fraud and Abuse Act which is what would actually apply criminal penalties to unauthorized access to a protected computer system that's I know for many people um likely including yourself that's an unsatisfying answer right um and that's why I think a lot of uh the more recent Federal proposals have included uh not just sort of more classic data privacy and data protection issues like consumer right of access consumer right of Correction but also Provisions dealing with security obligations appropriate Technical and organizational measures is the phrase to steal from the gdpr um but uh as my colleague here alluded to um but yeah I mean it's a major concern and I I don't as you mentioned I don't think it's going anywhere there's once your data's out there to some extent it's out there and there's only more data breaches so that's a great point I don't want to sorry I didn't want to cut you off oh no no no real quick I didn't want to fully discredit like our law enforcement Community is doing a wonderful job like like we do see convictions occurring by Department of Justice against Americans but but to your point it is largely foreign actors so it's this isn't ingest we see cases being brought against for like individuals that are in China and Russia carrying these out and they are convicted but then like The Logical next step is okay well they can't come to Disney World I think that was that was how the media put it because if they don't come back to the U.S China is not going to voluntarily give these people up so is it even worth it you know I'm I think there's it's good to go through the legal process but it's not giving the satisfaction a lot of people want we are running short on time I know this is a conversation that we could could keep going and many many other questions to get to um but just to wrap up I'd like to give each of our panelists you know one minute to to ask you know five years from now if we were hosting gdpr at 10 what do you hope would have changed and what do you hope would still be the same and I'll start with Nathan all right well I mean I hope that in five years we're not talking about 10 years of gdpr but maybe I don't know like four years of a U.S standard um celebrating the ways that that maybe we actually got this right um that's that's pretty pretty optimistic but I think that's something that needs to happen for for startups like those we work with um yeah a uniform Federal privacy framework that works for startups is something that's really needed that's what that's one that creates uniformity relates Clarity limits bad faith litigation accounts for the resources of startups and and really recognize is the internet interconnectedness we talked about large uh large entities and small entities it really really recognizes the interconnectedness of the the internet ecosystem Lee although it would force me to change the focus a lot of my of a lot of my current research and writing I really hope that in five years from now maybe we will have finally put this EU us data transfer question to bed uh and we will have arrived at a diplomatic and political solution that uh everyone on both sides of the Atlantic is if not happy with uh can't we can say that it represents what looks like a good political compromise where everyone is mad um so uh that that would be my hope for the for the next five years yeah I actually largely agree with both of them I think I would just really further the point home of why we need a U.S data privacy and security law now um like Industries at Aloft consumers that are lost Securities at a loss are international standings at a loss Innovations at a loss and so on without this law I know Congress is putting a lot of time and effort for it but I think it is time we finally move it forward and hopefully we'll be reflecting on what is a U.S Privacy Law look like five years later in five years I know a lot of this conversation has been a bit retro retrospective looking back on on what's kind of happened in the aftermath of gdpr I look forward to continuing the conversation with our panelists and with our audience in terms of what we may see looking forward both in terms of us and EU actions if you could please join me in thanking our panelists for for being here today thank you thank you for having us and thank you to our audience as well and those of you joining us online this concludes this event for those of you joining us in person lunch is available in the foyer thank you thank you

Info

Channel: The Cato Institute

Views: 441

Rating: undefined out of 5

Keywords:

Id: PtazFWiG92M

Channel Id: undefined

Length: 59min 1sec (3541 seconds)

Published: Fri May 26 2023