Human Rights Watch (HRW) and Amnesty International (AI) issued a press release today on a letter and brief the two organizations sent to European Justice and Home Affairs Commissioner Vera Jourova arguing for invalidation of the EU-U.S. Privacy Shield.  The letter and brief can be found here.  On substance of the criticism, these groups continue to sell the U.S. surveillance framework short, failing to recognize extensive transparency and safeguards that underlie the U.S. framework.  That aside, invalidation on these terms is not appropriate because the European Commission’s reasoned and detailed adequacy decision was based on information about U.S. surveillance practices and laws that the Commission had when the decision was released on July 12, 2016. After reviewing the commitments self-certifying organizations would make under the privacy shield and the enforcement mechanisms available under U.S. law, the Commission said, “the United States ensures an a ...

Does the EU’s right to be forgotten extend to the whole world?  The French data protection authority, CNIL, says yes and wants search engines to delist search results which contain information that violates the European Union’s right to be forgotten – not just for French users, not just for European users, but for all users everywhere. Google is prepared to remove offending search results for European users, but balks at removing material globally just because European courts find that it violates European privacy rules. 

Today, the EU and Japan announced political agreement in principle on an Economic Partnership Agreement.  Overall, this should be a positive development for EU and Japanese workers, consumers, and businesses.  But, it does fall short in one crucial regard.  There is no binding data flow obligation yet.  SIIA put out a statement on this gap today.  Instead of a binding data flow commitment now, the two sides agreed to conclude an accord on data flows in early 2018. 

In a March 30, 2017 opinion piece, “Don’t trade away data protection,” two leading Members of the European Parliament, Viviane Reding and Jan-Phillip Albrecht, suggest “strengthening data protection safeguards in the General Exception (known as GATS XIV) and E-Commerce chapters, and removing necessity and consistency tests.”  The idea behind the proposal is to make absolutely certain that the General Data Protection Regulation (GDPR) and perhaps other parts of the EU privacy acquis could not be successfully challenged as inconsistent with an affirmative cross-border data flow obligation.  This is a topic SIIA will comment on again in the coming months, likely in a longer form Issue Brief.  This blog discusses the proposal to remove the necessity test.

Last week, EU Justice Commissioner Vera Jourova announced that she was going to propose a law on law enforcement access to encrypted data.

The Elliott School of International Affairs hosted a very interesting conversation today on “New Avenues to Govern Cross-Border Information Flows.”  SIIA co-sponsored the event together the Internet Society of Greater Washington, D.C.  The Institute for International Economic Policy (IIEP) presented the event.  Research Professor and Cross-Disciplinary Fellow Susan Aaronson moderated. I provided an industry perspective, and my talk is available here.  My written remarks focus on what we hope to achieve with respect to cross-border data flows in the Trade in Services Agreement (TISA), the WTO’s E-commerce Work Committee, the G20, G7, and the OECD.   However, as fellow panelist USTR Director for Digital Trade Sam DuPont concentrated on these fora, I emphasized in my spoken remarks four aspects of the cross-border data flow discussion.  First, key industry “asks” such as obligations to permit data flows, avoidance of serv ...

Readers of this blog will know that the SIIA and Thomson Reuters-supported Atlantic Council study: Into the Clouds: European SMEs and the Digital Age” was released on October 10 at Aspen Berlin/Germany on October 10.  We followed up in Brussels on October 12 with a lively DIGITALEUROPE workshop and a well-attended Transatlantic Policy Network dinner.  In addition, I met with German and European Commission officials this week.  A few takeaways from these events and meetings follow.  Cloud adoption rates are variable in Europe and surprisingly low in Germany.  Low adoption in Germany derives in part from continuing surveillance concerns but is perhaps equally caused by a preference for in-house solutions, even by SMEs.  Localization of data in-country remains a preference of many German companies and cloud providers increasingly provide that option to their customers who are evidently willing to pay a premium for that service.   The Commissi ...

Just as everyone was headed out of Washington for the Memorial Day weekend, CNBC did a report on Google’s Two Years of Forgetting Europeans. It was a useful summary of the material Google publishes in its transparency report on European privacy requests for search removals.  It noted such interesting facts as that Google has removed 43% of the URLs they have reviewed and processed and that Facebook was the most frequently removed URL. But the report strangely missed a major legal development that threatens a stable international understanding about the limits of domestic law in age of global communications networks. This stable understanding is that national governments have control over the Internet within their own borders.  They have right and the obligation to make the rules of the road for Internet conduct occurring within their own borders. But they don’t have the right to extend their local laws to Internet conduct within the jurisdiction of other cou ...

Those of you who read SIIA blogs, statements, and testimony know that we are big proponents of data-driven innovation.  For such innovation to achieve its full potential, cross-border data flows are essential.  That is why we support Trans-Pacific Partnership (TPP) digital provisions so strongly and consider them a floor for additional digital provisions in the Transatlantic Trade and Investment Partnership (TTIP) and Trade in Services Agreement (TISA).  We support interoperability mechanisms such as the EU-US Privacy Shield that allow companies to transfer data from one jurisdiction to another as long as they comply with the rules established in the mechanism.  This has nothing to do with undermining societal values such as privacy and everything to do with creating law-based data transfer mechanisms as we demonstrated at an October 9, 2015 Geneva event for TISA negotiators.  We are strong supporters of the EU-US Privacy Shield because it has the potential, ...

The Atlantic Council released “Building a Transatlantic Digital Marketplace: Twenty Steps Toward 2020” on April 5 in Brussels.  Later this month, the Council will host another event in Washington, D.C. on the report.  I was a member of the Atlantic Council’s Task Force on a Transatlantic Digital Agenda. The concept of a transatlantic digital marketplace is something well worth supporting.  The Brookings Institution’s 2014 work on the value of transatlantic data flows helped make the economic case for why this is so important.  The 2015 European Center for International Political Economy (ECIPE) paper on the importance of complementary policy for the ICT sector helps explain what policy environment, including on Intellectual Property Rights (IPRs) is optimal for the software sector.  The Atlantic Council Report contains many excellent ideas for building a transatlantic digital marketplace such as promoting cross-border data flows. Ha ...