Skip to main content

Full text of "State of the Net 2022"

See other formats


STATE OF THE NET 


Hope Springs Eternal? 


Assessing the State of 
U.S.-EU Digital Cooperation 





Internet LIVESTREAM BY 
Sehr FEBRUARY 28 2022 Internet Society 


Hope Springs Eternal? Assessing the State of U.S.-EU Digital Cooperation 


State of the Net, Washington DC - Feb 28 2022 


Ashley Gold 
We're gonna start by having the panelists go down and introduce themselves talk a little bit about 
their work and what it has to do with EU US relations. So let's start with Sean. 


Sean Heather 

Well, good morning. I'm Sean Heather. I'm the Senior Vice President for international regulatory 
affairs at the US Chamber. | also cover antitrust and have been working for the last 10 or 15 years 
on US-EU related matters, going way back to the TEC (Transatlantic Economic Council), if you can 
remember that, which was a Bush - Merkel initiated initiative, and then more recently the T-TIP, 
and now the TTC. 


Jens-Henrik Jeppesen 

I'm Jen's Jeppesen, | represent Workday. I'm based in Brussels, Belgium and | look after Workday's 
policy and corporate affairs activities in the European region. It's a pleasure to be back in 
Washington, it's been more than two years, and that's a long time for somebody who's been 
working on transatlantic issues for for many years now. So thanks for the invitation. | appreciate it. 


Alex Greenstein 

Hello everyone, I'm Alex Greenstein, I'm director of the Privacy Shield program over at the 
Department of Commerce. | got into this through a little bit of a roundabout way. | worked for 19 
years at the State Department on the, most recently, EU issues, and so ended up working on data 
privacy out in Brussels, and | was director for the European Union over at the White House, and 
then | was working on the National Economic Council doing tech policy, and then moved over to 
Commerce, and have been working on this, and we've been working assiduously on our 
negotiation of an enhanced Privacy Shield framework to restore stability to transatlantic data 
flows. 


Alina Polyakova 

And I'm Alina Polyakova, I'm President and CEO of the Center for European Policy Analysis. As an 
institution, we work a lot on transatlantic issues. Obviously, Russia and Ukraine has been 
dominating a lot of our work more recently, but in particular, have been working for many years 
trying to understand how authoritarian states like Russia, China, and others, are trying to use 
basically Western companies to censor the kind of information that their populations are able to 
see, something that we call digital authoritarianism and, as part of that, how the transatlantic 
community should come together and respond. So, a lot of issues around the TTC now, obviously, 
broader questions about some legislative efforts in Brussels on the DMA and DSA, and how that 
hurts or helps transatlantic decision making, unity, and tech regulatory policy things. 


Ashley Gold 

Thank you. With that, let's start right at the top with what's going on with Privacy Shield. | would 
love if Alex could give us a briefing of what's going on with negotiations, what we can expect to see 
in the next couple of months, and what some of the main sticking points are right now. 


Alex Greenstein 

Sure, thanks for having me, and this is definitely a priority for the Biden administration. It's 
something that really cuts to the heart of the transatlantic values and the importance of the 
transatlantic economy, as both the United States and the European Union, and the role it plays in 
the broader transatlantic relationship. So, a little bit of history lesson, we're dealing with the 
fallout from the Schrems II decision which was regarding data transfers from Europe to the United 
States using the standard contractual clauses however, and that's one of the EU Data transfer 
mechanisms that, because the European Union has a presumption that data should not be able to 
transferred overseas unless there is equivalent laws in some of the other country that's under the 
General Data Protection Regulation, their data privacy law, and so the United States and Europe 


have negotiated a series of sort of agreements on this issue to enable translate data transfers. 
However, on previous occasions, this has been struck down by the European Court of Justice 
regarding concerns about US government surveillance, and the availability of the limitations on 
that, but also the availability of redress for EU persons who are concerned that their data might 
have been inappropriately accessed. 


Alex Greenstein 

We negotiated an agreement a few years ago called the Privacy Shield framework that was struck 
down by the European Court. Now we are in the process of negotiating an enhanced privacy 
shield that would address the concerns raised by the Court of Justice and the Schrems II case. It's 
important to know that what we're negotiating is only about national security issues and 
government access to data. We're not revisiting the commercial elements, the framework which 
the court didn't have any issues with. It's important to note that this is something that is -- it needs 
to be dealt with between governments, because this is essentially about national security issues. 
What we're working to negotiate right now are something that threads the needle between what 
the European Court of Justice requires under European Human Rights Law, and fundamental 
rights, and then also sort of what is possible under the US Constitution, and then also what is, | 
guess | would say, advisable, given the national security commitments the United States has, and 
our need to protect the United States and our allies. 


| think, as we've seen recently, it's a dangerous world out there, and that reinforces the need for 
robust national security access to data, with appropriate limitations for protection of fundamental 
rights. That's what we're focused on right now, this has definitely been a little bit of a long haul. 
We definitely recognize that there has been a lot of instability in data transfers, and the companies 
are operating in an environment of uncertainty right now, about whether or not it's permissible to 
transfer data. That's why we and our partners in Europe are working to try to conclude this 
negotiation as quickly as possible, because we recognize that's having an impact on both US 
companies, but also European companies who want to be able to use US services, and also, to be 
honest, do business here and operate their operations and factories and things like that here in 
the United States. 


Ashley Gold 
And can you give us any timelines? 


Alex Greenstein 
(sighs) It's a question | always get, and | can't really make any predictions, but we're definitely in 
the homestretch. Hopefully, we'll have good news soon, but | can't make any promises. 


Ashley Gold 

Okay, let's move on to Sean for a little bit, and talk about some of the impact on businesses this 
uncertainty has had. What are you hearing from the business community on what it's like to wait 
on a new Privacy Shield, and not be sure if your standard contractual clauses will stand up, and 
how you're sort of feeling in the meantime? More broadly, can you speak to just the EU-US 
relationship, as the EU continues with new bills about data, Al, the DMA and the DSA, and how the 
US and the EU can align, when the EU is being so much more aggressive than the US is? 


Sean Heather 

Well, there's a lot there. Obviously, this is the State of the Net conference, you all know, more so 
than maybe anybody else | speak to, how important the flow of data across borders is. It is the 
lifeblood of the modern economy, and so it is natural for companies do want to find legal certainty 
and terms of being able to support those data flows. What is important, and what Ashley said, is 
that while a lot of the attention is on Privacy Shield, the court decision a year ago last July said that 
Privacy Shield needed to be struck down, but they put a giant question mark next to standard 
contractual clauses, and standard contractual clauses are the workhorse of data flows. 


Sean Heather 

Privacy Shield is important, its symbolic. lots of small and medium sized enterprises rely upon it, 
but when you look at the bulk of the data flowing between the United States and the EU, it flows 
underneath standard contractual clauses. This giant question mark, | think, has chief privacy 
officers and general counsels of major companies, both in Europe and the United States, kind of 
scratching their heads saying, What does this mean? And, effectively for the last 18 plus months, it 
has not meant that DPAs across Europe have brought judgments. We have not seen decisions 
coming down invalidating standard contractual clauses, but we do see signs that there are cases, 
that are in the system, and that those cases that are in the system are increasingly on borrowed 
time. They are not the kinds of decisions that the DPAs across Europe can continue to push off, 
they're going to be forced, | think, at some point this year to begin to make some determinations 
and decisions, and the question is, if standard contractual clauses are an invalid tool to transfer 
data between the United States and the EU, we have no legal mechanism by which to do so. 


So, the pressure is really on Alex, and you and the Biden ministration had made this a priority 
from day one. It was a seamless transition from the last administration to this. This is issue 
number one, as far as the Chamber is concerned, in the US-EU relationship, if we can't solve for 
this, there's no reason to have cooperation in the TTC. The entire TTC agenda, when you look at 


the 10 working groups, all has components about data and the ability to move data at its heart. 
So, this is job number one. 


lam optimistic. There are signs, for those who are watching this closely, that the EU understands 
the importance. I'm also optimistic that, sadly, because of the events of the last week or so, that 
there may be even a greater sense of concern and importance to ensure data flows between the 
United States and Europe. You would never want to say there's a silver lining to an invasion, but | 
do think that this has put a renewed emphasis on the importance of transatlantic ties. So, | am 
optimistic that we might see, and I'm not in the negotiating room, I'm not at the table, but | feel 
like we have a chance to see something maybe mid spring, late spring, early summer, that would 
be the window, which I'm watching right now. 


Switching gears. You said, the state of transatlantic relations? Most people think about the US-EU 
relationship, and they talk about the economic relationship. When you do that, in most cases, 
people think about trade, the US trading partners. But the US-EU relationship is different, it's really 
a relationship based off investment. It's very unique. We have trillions of dollars of US investment 
in Europe, there are trillions of dollars of EU investment in the United States. There is no other 
economic relationship in the world that is built on investment first. It's because of that investment 
we trade with each other. | think it's still true today that there is more US investment in Ireland 
than there is US investment in China. That shows you just how significant the relationship is. 


Why do | say that? Well, when we've seen past dialogues between the US and EU, | think there has 
been kind of this sense of hope springing eternal, which | think is today's title for the conference, 
or at least this session of the conference. My view is this, the US and the EU have been 
cohabitating, but never got married. We have this deep relationship that we have become 
comfortable with each other, and when we tried under the T-TIP to formalize that through an 
actual marriage, folks didn't like that too much. So, we're now back, through the TTC, at a 
negotiating table. My concern, about the way in which these negotiations are set up, is almost 
every issue on the TTC agenda, Europe has decidedly put out its markers as to where it wants to 
go on Al, where it wants to go on competition policy, where it wants to go on data policy, and 
there's not much to negotiate. 


There may be conversations we can have on cooperation vis-a-vis China, on cybersecurity, some 
of the other agenda items, but on the core regulatory issues that are going to govern data 
governance and the digital economy, Europe has decided the path they want to pursue, and | 
don't think it is interested in listening to the United States, or discussing where the United States 


has views, and unless Europe is going to sit down and have conversations like that, | think the TTC 
is gonna have a rocky agenda. 


Ashley Gold 

We're definitely gonna get back to that, but | want to make sure that Jens here could talk about 
what Privacy Shield means to companies like Workday, companies of similar sizes, and just the 
view from Brussels. Why do you think Brussels has such an intention to set these rules for the 
world, and to take a leading role here, and get these bills passed? And what does it ultimately 
mean for relations with the US, and whether they can lead together against authoritarian 
countries? 


Jens-Henrik Jeppesen 
How much time do | have? (laughs) 


Ashley Gold 
A couple of minutes. 


Jens-Henrik Jeppesen 

A broad question, but beginning with the Privacy Shield and data flows. Workday is a provider of 
software applications for enterprises across a whole range of different industries, from banking to 
automotive, manufacturing, energy, etc, etc, pharmaceuticals, we have something like half of the 
of the Fortune 500 amongst our customers. Many of those companies are European 
headquartered, so we have more than 725 EU headquartered companies that use our services. 
These are world leading companies, and they need, just like American companies do, to manage 
and optimize data flows across borders to run their operations seamlessly across the globe, really. 
Sometimes the issue has been framed as really focused on social media companies and their use 
of data. This is really not the case, this cuts across all industries. It cuts across large companies 
and small companies as well, it's important to note. 


Following the Schrems II decision in July 2020, we had European organizations putting out data to 
demonstrate the impact of Schrems II, and the uncertainty that that has created on European 
businesses. It cuts across all sectors, and it cuts across all sizes of companies. We see small 
companies, in particular, have been extremely reliant on the Privacy Shield. They now have to use 
standard contractual clauses. This is a very difficult process for a small company to manage, and 
they require a lot of legal assistance to be able to make this work. This is really issue number one 
for the EU-US relationship at this point. | think, like Sean, we're super excited about the TTC, we 
think there is an absolute need for Europe and the US to work productively across all of these 


areas. | think this current geopolitical situation, that we have been learning with for the past 
number of months, just emphasizes the importance of that. It is really, really essential that Europe 
and the US try to see eye to eye on as many of these issues as possible, understanding that there 
will be differences in how countries legislate. EU countries choose -- have, to some extent, some 
different values that express themselves in different policy choices from the US. That's normal. 
But, you do have to ensure that there's as much cooperation and alignment as at all possible. 


To your question about, why does Europe move ahead so aggressively with legislation and policy 
in this space? Taking European politicians at their own word, they sometimes frame it this way, 
they say, in this global technology industry. that is technology services and products that are 
integrated, not only in the way we work, but in our private lives, education, healthcare, etc, etc, 
that they choose a road where they've taken a proactive approach to regulating, rather than 
seeing a more market led development, where technologies evolve and get deployed, and then 
you try to deal with issues as they come up. This is, | would say, a deliberate choice of European 
politicians, that has advantages and disadvantages. But that's, at a very high level, how the 
situation. 


Ashley Gold 

Thank you. That brings us to Dr. Polyakova, I'm so happy to have you here today. There seems to 
be a lot of agreement on this panel that having an EU-US relationship over data flows, and 
anything on the Internet, digital, is important for the geopolitical sphere. As we've seen the past 
couple of days, the Internet is very involved in what's going on right now. We have both Russia and 
Ukraine making demands of American Internet companies to either invalidate accounts or to de- 
monetize accounts. Do you, in your view, think it is important for the EU and US to be aligned on 
all these issues, to be able to deal with the greater geopolitical problem? Or, is there room for 
some divergence between the two countries? 


Alina Polyakova 

Well, thank you so much for your question, Ashley. | love going last, because | have an opportunity 
to respond to what everyone else has already said. | actually just wanted to pick up on where Jens 
left off, on my we have seen a real divergence in the approach between, certainly in Brussels and 
Washington, when it comes to the tech regulatory agenda more broadly. | think, of course, Privacy 
Shield is very much at the center of it. | couldn't agree more that, unless we have agreement on 
Privacy Shield, then what is the point in the TTC, really? Because how are we going to make any 
forward momentum there, if we don't have the basic agreements on data flows. The TTC is set to 
meet sometime in May, mid May, now in Paris. It's been very unclear what the accomplishments 
have been, and where the agenda is actually heading. 


What I've noticed over the last several years working on these issues is just a very different lens 
for understanding the geopolitics of technology in Brussels and Washington. In the European 
perspective, a lot of that focuses on individual data protection and privacy, in the United States the 
lens is much more about national security. It's very difficult, when | go to Brussels or other 
European countries, to make the point that this is about national security, and that we have to 
prioritize that. What's happening today, certainly, with the renewed Russian war in Ukraine, lends 
just much more credibility to that perspective, that number one priority, while data protection 
individualized is deeply important, but not when it goes against our broader transatlantic security. 


It's been very concerning to see what has been a freight train of a regulatory agenda coming from 
Brussels, which, by the way, doesn't fully represent the views of the European member states 
themselves. There's actually quite a bit of divergence, certainly, with some central Eastern 
European countries, the Baltic states, and elsewhere, from what has become a very French and 
German driven agenda on the tech regulatory side. There's a tendency to see things like the DMA 
and the DSA, and the Al act and all these things we see coming out from Brussels, as 
representative of the European perspective, but, in reality, it's not necessarily. There are a lot of 
smaller companies that aren't being classified as gatekeepers, medium-sized companies in places 
like Scandinavia, they have a very active tech market, have some concerns, that they don't want to 
clamp down on US companies just to be replaced by French companies. 


There's a lot of divergence on how the European laws that we're going to see enacted in the next 
several weeks here, most likely, are going to affect the European ability to compete. The big 
question for Europe, and this goes back to, again, about why has Europe taking this leadership 
role on the tech regulatory agenda, even though most of the companies really talking about are 
not European companies. | think the reason for that is because there's a real fear of being left 
behind. Obviously, the US still leads on technology innovation, and China is actively aggressively 
competing there, so what is really Europe's role? 


European policymakers have carved out regulation -- sometimes, unfortunately, in the service of 
regulation versus the service of innovation -- as their leadership in the world, part of their 
leadership portfolio. This is where Europe sees its ability to have impact in the world, through 
norms, international standards, etc, but | agree that it's probably a little too early for that, because 
some of this technology is still very nascent. | think now that we look back, look at what's been 
happening in Russia, and China's also part of this dynamic, but to zoom in on Russia a little bit, 
deeply concerning developments about how the the Russian government has been using and 


abusing western tech platforms in the service of digital censorship, in the service of digital 
authoritarianism. 


Just over the last several days, we've really seen a combination, or what has actually has been a 
years long effort by the Kremlin, to force companies to comply with increasingly draconian local 
laws, the so called new landing law, as it's called, that is affecting basically all companies, social 
media, broader tech companies, platforms that are operating in Russia, and de facto making them 
much more vulnerable to things like detaining, arresting employees of these firms if they don't 
comply with these draconian laws. They're demanding the takedown of content that is truthful 
content, which, of course, companies have been resisting for a long time, and it's important to 
know, paying a lot of fines. 


But, at some point, | think they come to a question of, do we want YouTube in Russia still, and of 
course, YouTube, for example, has been the only reason why Russian opposition voices or 
independent voices have had any avenue for expression in a deeply state controlled environment, 
or do these companies just pull out, and basically cede this information environment completely 
to the authoritarian state? | think it's a really difficult situation that firms find themselves in. It 
really should be the prerogative of the US government and European leaders to stand up for 
democratic values of free expression, and to support and push back on some of these very 
aggressive authoritarian tactics that we see deployed, but right now, the companies are kind of 
left in the lurch a little bit to figure out for themselves. 


Ashley Gold 

Yeah, absolutely. It sort of brings me back to this idea that abroad, the Biden administration, 
similar to the Trump administration, they're in the position of defending their own tech companies 
to foreign governments that wish to tax them, or put regulations that seem to be focused just on 
the biggest US companies, but at home, they want to regulate them themselves. Maybe you could 
speak a little bit to this tension, that the US government seems to defend our companies abroad, 
but at home there's a pretty robust competition agenda going on, and a desire to have more 
content moderation and more privacy, not saying we've passed many laws, but there are many 
efforts. Can you speak to that tension? 


Sean Heather 

Sure. There are three things you raised there. One is this competition policy question, which is 
more akin to the DMA, you have a conversation there about federal privacy law, and then you 
have a conversation about content moderation, which, for the most part in the US, is a debate 
about 230. In the competition lane and the pure competition lane, | don't see the Biden 


administration fundamentally having a different position abroad, from what they have at home. 
The administration has made it clear that they do not support the DMA, as drafted, they've made 
it clear to the Europeans that there's a variety of things that need to change. At home, the 
domestic legislation that is most furthest advanced in the Senate, the administration has not put 
out a statement of administrative support for that. In fact, you see large amounts of folks on the 
Democrat side of the aisle who have deep concerns with the way in which that is drafted, which is 
very similar to the DMA. 


Where | think you have tension in the administration is, what should regulation look like in this 
space? There, | don't know that they have an answer, they know what they don't like, but I'm not 
sure they know what they do like. So, when they put their opposition out there to Europe on the 
DMA, when they had withheld their full support for what's happening here at home, | think that's 
entirely consistent. What one should do about platform regulation is where | think the 
administration is still trying to figure out what makes sense, what would look like good regulatory 
practices, how much of this should happen as a matter of antitrust law versus regulation? In the 
United States, we're trying to do it as an amendment to our antitrust laws. In Europe, they've 
decided not to amend their antitrust laws and do it as a matter of regulation. These kinds of 
questions, | think, are very much still unanswered with the Biden ministration. 


When you move to the privacy space, obviously, as Alex said, the debate among US- EU is not 
about whether or not we have adequate protections for privacy in the United States from a 
commercial standpoint, the Europeans accept it, but we in the business community don't want 50 
state-based regulations, we want to see a federal privacy solution, the Chamber is very much in 
favor of that. | think the administration is very much in favor of that. | think the details are 
oftentimes associated with how you construct things like private rights of action, and what 
happens when it comes to to a violation. All of that will take some time to sort out, but | think 
there is a common agenda there. Certainly, | think Europeans would welcome a federal privacy 
law. There's lots of European investment, as | said, in the United States, they don't want to have 50 
state privacy frameworks by which to address. 


In the third area, which is this content moderation debate. This is the one where | think it's the 
toughest to figure out what is a legislative or regulatory path forward. Obviously, you have clear 
requirements under our constitution for free speech, but we also know that you can't yell fire ina 
crowded theater. What is the online version of that has yet to be figured out -- whether that is 
figured out over time as a matter of common law, or courts, or whether that's figured out by the 
United States Congress. We're a long way from having that answer, but the urgency is clear. It's 
not only being sorted out in Europe through their efforts with what they call their DSA, but | see 


-10- 


dozens of countries around the world who are putting content moderation frameworks in place. 
Many of those are within authoritarian governments who are dictating terms, what is legal content 
versus illegal content. When you look at these regimes, it's very unclear. Companies are left to try 
to decide for themselves how to interpret the law, and then the ways in which they must comply in 
many cases are completely unreasonable and outright crazy. So, that space is the one that, both 
from a policy standpoint as well as from civil society and the business community, is where | think 
there is the most room to figure out what the path forward is. 


Again, on the competition piece, | think the administration is clear on their opposition to both 
approaches, but they're not clear on is what the right approach should be. 


Ashley Gold 
Does anybody else have anything to add? 


Alina Polyakova 

Yeah, if | could just chime in there, specifically on the content piece, because I've been working on 
issues around your counter disinformation efforts for too many years, I'd like to admit. One of the 
things that we have to really pay close attention to is the precedent setting nature, which | think 
Sean was just alluding to, some of the legislation that we see emerging, talking about online 
harms and not really defining what that means, talking about illegal content. Basically, some of the 
European proposals have been copied and pasted by countries like Russia into their own law, and 
now the very same language is being used to repress and oppress independent voices saying that 
this extremist content is illegal content, that there's online harms in certain content, which is of 
course, truthful content. So, it's being used in the service of censorship and repression, rather 
than what they're supposed to be used as. 


Ashley Gold 
Did you have something to add, Alex? 


Alex Greenstein 

Yeah. that is a very good point. Having observed EU-US discussions purely on privacy, but also on 
tech policy more broadly, One of the things is that there can be a little bit of an excessive focus on, 
| would say, the instrumentalities of how to implement policy, and the differences that we have 
there. That can sometimes obscure the fundamental sameness of our values. That's something 
that really both sides could stand to work through, is looking more at how we implement our 
policies and practice, and how that reflects our fundamental values. 


44% 


This is where we also hit this real problem -- we haven't talked about this yet -- around concepts 
like digital sovereignty as well. This is the same concept that the Beijing uses to talk about their 
desire to control the online space. This concept has also become pervasive in the European 
debate. And so, | think my question is, where did the values come in here? If the United States and 
Europe are divided on the tech agenda front, then we'll be divided on the values front. | think we 
need to start really pushing our governments to not leave companies just out there fighting the 
large authoritarian states on their own. It's long overdue. Frankly, | think the current situation is 
just so deeply disturbing .Hopefully, | think there's a silver lining, hopefully the unity we're seeing 
right now between Europe and the United States in the response to Russia will be channeled into 
greater cooperation on this particular agenda as well. 


The example I'm thinking of here is in terms of privacy, certainly we have different approaches to 
it, but from the United States standpoint, we argue that it's not a decision between privacy and 
security, you can have both of those things, but you just need to have the right policies and 
approaches in place. We're trying to dig into that. 


One of the things is -- it's gets less attention than Privacy Shield, but -- there are discussions now 
at the Organization for Economic Cooperation and Development about what are the appropriate 
safeguards and limitations on government access to data? Really, this is bringing together 
practitioners from the national security communities in Europe and the United States, along with 
people who are responsible for fundamental rights, and looking really deeply into what are the 
best practices around sort of government surveillance, and we're finding there's a lot of 
commonalities there. Certainly, we have different legal systems in Europe and the United States, 
but when it comes down to it, the values that underpin them are quite similar, and you find a lot 
of best practices. That does give me some hope for this moving forward, that we have sort of 
more in common than we have different, and then also the current crisisdoes focus minds on that 
a little bit. That's my two cents. 


Jens-Henrik Jeppesen 

Yeah, thanks Alex, that makes a lot of sense. | recall, Ambassador Bill Kennard saying in meetings 
that, with the EU and the US, it was the narcissism of small differences. | think it's a pretty apt 
observation, given that the policy issues that are being debated and the values that underpin 
them are so similar, whilst the institutional setup and the political dynamics are different. You 
mentioned the Franco-German locomotive is back on track, the French-German locomotive of 
European integration. After Brexit there's a big UK shaped hole in the Union, where there was a 
push or pull towards open trade, restrained intervention in markets and so on, and so we really 
see that now. 


-12- 


The digital sovereignty concept that you mentioned, President Macron likes to talk about strategic 
autonomy. We currently have the French presidency of the of the Union, and this has been an 
incredibly strong narrative that runs across all kinds of policy areas. Just one quick example, there 
are cybersecurity standards being developed for the entire EU. That's entirely sensible to have 
that cybersecurity framework for a cloud services across the EU to replace national standards. 
Brilliant idea. 


But what the French have tried to do is to introduce what they called sovereignty requirements, so 
that certain parts of the cloud services market can only be serviced by European companies, with 
maximum percentage of foreign ownership, with no involvement of non-EU staff, with strict data 
localization requirements in place. So, we're seeing this political narrative now really being 
reflected in different policies across across the sphere, and in a way that is probably actually 
actively harmful to what the cybersecurity framework seeks to put in place, because what you do 
not want is to have it such that European organizations, public sector organizations, or 
companies, cannot use the best possible cybersecurity technologies in the market. 


So, there's a lot of work for us to do on this. 


Ashley Gold 

If you look at the way things are going, it seems though data sovereignty and this balkanization of 
the Internet is happening all over the world in Russia, China, India, US, Europe, how do we sort of 
come together and have a free and open Internet again, where every country doesn't have 
different rules, and the Internet doesn't look a little different depending on where you are? Is 
there a coming back to that? Or have we gone too far? 


Alina Polyakova 

| can start us off there, if you don't mind Ashley. We don't have free and open Internet on a global 
level anymore, and we just don't live in that reality. | mean, go to China, go to Russia, go to 
Myanmar, obviously. At this point, we are in a position, unfortunately, having to defend the free 
and open democratic online space. This is exactly where the squabbles over details are deeply 
unproductive, and go against the broader strategic agenda of making sure we're all on the same 
place. Because we have to defend that space, we have to defend the ability of people to have 
access to truthful information, a variety of sources. Companies big and small play a deep and 
huge role in that. My concern about things like sovereignty, and conversations, especially on cloud 
services and other issues, are deeply concerning, because it's just reinforcing the splinternet 
model in a different sector. We have to really shift lenses, because if we keep moving in this 


see 


direction, we're just going to reinforce the authoritarian vision of the online world, and it's not the 
vision, | think, that many of us here share, or that many individuals would like to be a part of, 
frankly. That's the big issue today, whether we can move away from -- the EU wants to lead on 
regulation, and we can put innovation on the backbench there, where we are on competition 
policy, etc, etc, -- we do align on the bigger, broader principles. We have to come back and 
compromise, and a lot of that compromise has to happen in Brussels, because they have been so 
much further along on setting out their demands and their agenda, and the US has been lagging 
behind there, and hasn't been as engaged in some of these issues until the current 
administration. So, there's a lot of work we have to do. 


| don't want to, you know, raise the alarm bells too much, but we're in a really bad place right now. 
We have to move really, really quickly to ensure that what we still have, that we're going to have 
for future generations. 


Jens-Henrik Jeppesen 

I'll just build off of what you were talking about. | think the one area where we risk atomization or 
fragmentation is artificial intelligence. The EU has moved forward with legislation last year, a very 
broad and ambitious piece of legislation, it's early stages yet, yet it has a number of very sensible 
components that | think will find a receptive audience on the US side. However, it is not clear that 
it will hit the right balance between the dual objectives, which are to create an ecosystem of 
excellence and innovation, as well as an ecosystem of trust, and a vibrant market for trustworthy 
Al applications. 


Talking about -- back to the TTC, we would very much encourage the US government to be as 
engaged as possible, and as forward leaning as possible, in terms of dialogue with EU 
policymakers in this space. The regulation is going to set out technical standards for compliance, 
the worst outcome would be if we have a set of standards coming out of Europe that are then not 
compatible with what NIST, for example, has been working on here, something that Workday has 
really supported. So, if we can use the TTC to facilitate alignment and interoperability, and these 
two pieces docking together nicely, | think that would would be the best outcome for all of us. 


Alex Greenstein 

Yeah, | think you really put your finger on it, in terms of the word that | always focus on, 
interoperability. We don't have to have all the same laws and approaches on the Internet, but we 
do need to ensure that they work nicely together, and that there are ways to build bridges. That's 
essentially what Privacy Shield was about, you had an EU law that functioned differently than US 
laws, but you had enough US law in that space that you could make an argument that, if you add 


-14- 


some things to it, it is essentially equivalent. That's kind of the spirit that we're looking at, is finding 
ways to work together, and that also gets to the issue of trust, and trusting that, yes, other 
systems may look somewhat different but, since we operate on the same values, that we can 
accept that that will probably get you to the right place. 


Sean Heather 

If the question was, where are we headed? | think the answer is, we are not. We are in a state of 
fragmentation, the question is how much more fragmented we become. If you listen to part of the 
last session with Congressman McCaul, he talked about essentially decoupling with China when it 
comes to technology, the importance of export controls, the importance of not allowing tech 
transfer for national security concerns. If Europe decides to take a maximalist approach in terms 
of divergence with the United States, on DMA, on DSA, on Al, on the cloud -- we haven't even 
talked about the Data Act, which just was put out last week, which is entirely an effort to say, look, 
we're going to redefine what the definition of data ownership means, what it means for B2B 
business relationships for data, we're going to compel the sharing of data, which is a property 
right, fundamentally. If Europe decides to go down completely divergent paths from the United 
States, we are talking about a decoupling between the United States and the EU on digital 
economy policy. 


When | heard you lay out the cloud stuff, | said to myself, are we talking about France and Europe, 
or are we talking about China? The idea that you're only going to have a certain amount of local 
content, you're going to only allow certain amount of foreign direct ownership into a space, these 
are the tools China has used, that have caused the challenges we have today in the US-China trade 
relationship. And so, to the degree to which Europe is headed down that same path, we will end 
up in a position of decoupling. That's going to be very difficult when you look at, again, where | 
started, our relationship has been built on investment, we have invested deeply in each other's 
markets. That investment is something that American businesses are interested to continue to 
make additional investments in, and European businesses are interested in making additional 
investments here in the United States. So, we need to figure out how to get around the table at 
the TTC and work on these issues, but we do have some serious challenges, given where Europe 
has decided to set out its agenda, and where we stand today in these conversations in the United 
States. 


Ashley Gold 

Since we have Dr. Polyakova here, and there's so much going on with the Russian invasion of 
Ukraine, | just want to ask you, what has been sort of the most striking thing to you, in the past 
week or so, that you've seen online having to do with the social media companies, Russia, Ukraine, 


15% 


and the attempts at censorship and even just a lot of the misinformation we're seeing? Has 
anything been particularly shocking to you or different? 


Alina Polyakova 

Well, it depends what the relative starting point is for shock, right? | think we're in a much better 
place than we were, for example, in 2014 when Russia invaded Crimea and eastern Ukraine, which 
is when | started working in disinformation issues, where the Russian narratives were really 
propagating into Western media, and they were being spread very widely on social media. Then 
we saw her own ability to really grasp the importance of that, then, of course, came to us here in 
the United States in 2016, and then elsewhere. 


Alina Polyakova 

I've seen how companies have actually learned a huge deal over the last eight years, and have 
been quite active in removing content, fact checking content, and this has really been a thorn in 
the Kremlin side. One of the big conflicts that we've seen emerge in the last week was our fact 
checking, and Meta's policy effect of fact checking content, labeling content, and the Russian 
government demanded they stop doing this, or they're going to basically start limiting access to 
their platforms in Russia. They have been doing that, and then only partially complying with this. 
Again, | think companies have been trying to push back. One interesting development has also 
been the European Union now banning Russian state sponsored media outlets, like RT, Sputnik, 
and others. My understanding is that the companies are following the EU now, | guess, proposed 
law on this, and that's been a really positive development. 


Alina Polyakova 

The big question is, there are companies like TikTok, where are they going to go? Platforms that 
are operating in these authoritarian states, but are not necessarily as concerned about issues 
around false misleading information? | think we have to ask ourselves, do we want our children to 
be using Facebook or Instagram or TikTok, when we're talking about control of false information? 
It's been a much better situation, | think governments have, especially the US government has, 
been very effective on the broader information messaging side. Certainly Ukrainian, certainly 
people in Central Eastern Europe, are much, much more aware of disinformation, and have a 
much more critical lens on it. To be fair, or to be honest | should say, it's been really depressing to 
watch, as well, how deeply penetrating the Russian state propaganda has been in Russian society, 
which, again, is why go back to the point of, we have to fight to maintain freedom of access of 
information in these authoritarian states while we can, because that window is closing. The 
majority of Russians, despite the very brave and courageous Russians who have been protesting 
the war, and getting arrested and thrown in, and beat up and all these things last, last several 


-16- 


days, that's still a minority. The reason for that is because most people are buying the state 
narrative, and why? Because they don't have access to other information, they're watching state 
sponsored media, because that is the mainstream media, and that is the dominant information 
source for many Russians. We see what that leads to. 


Alina Polyakova 

It's a better situation that companies have learned. Unfortunately, | don't think governments have 
learned as much, because we still don't have just a basic regulatory framework that will give 
companies some guidance on what they should or should not be doing. I'm not talking about 
things that we were talking about earlier, but just some basic guidance. Now we have companies 
doing all kinds of different things, as they have been for many, many years, and it's also creating a 
lot of loopholes. Twitter may be able to remove something, but Facebook is not, and etc, it goes on 
like that. That is really limiting our ability to counter disinformation and false narrative on the 
online space, but | do think things are better than they used to be. 


Ashley Gold 

Yeah, just last night, Meta announced that they took down a coordinated and authentic activity 
attempt, but it reached far fewer people than it -- maybe even, whatever, a couple years ago -- 
nothing like what we saw in 2016 with the US election, it was a much smaller impact. A lot of what 
me and my colleagues have been seeing in the past couple of days is, it's not so much the 
sophisticated online disinformation campaigns, it's just regular people going online and 
retweeting something that isn't from the current conflict, or was a picture taken out of context, or 
just something that was totally unrelated, but you got a bunch of people rallying in support of 
Ukraine to retweet it. We see a lot of confusion there, too. So, the companies are in a tough 
position, you'd like to see the support for Ukraine, and all of the retweets and the interactions 
we're seeing, but even some of this positive content or pro-democracy content is not accurate. So, 
there's a lot to unpack there. | just want to make sure before we wrap up, if anybody had anything 
else to add broadly about Privacy Shield, anything we missed. And you said in a week, right? 


Alex Greenstein 
Next week, it's done. Yeah. 


Ashley Gold 
(laughs) 


Alex Greenstein 
Totally. 


SAvs 


Ashley Gold 
Did you want to add anything? 


Jens-Henrik Jeppesen 

Well, | think it's just worth pointing out that this is a very concrete concern, the Privacy Shield, but 
behind that sits this whole other dimension of EU-US issues in the technology space, and looking 
at the geopolitical situation that we're in right now, this ought to focus the mind in terms of 
forging, really productive cooperation, on this in the very short term, and on the other issues 
going forward. That should be something to strive for. 


Alex Greenstein 

| know that's definitely our hope. | can say that, in these negotiations, we have really strong 
partners in the European Commission. We have worked with them on these issues for a long time, 
and | can say definitely, over the years, we have developed a shared language, and they've 
developed a deeper understanding of our approaches on surveillance policy, and there's definitely 
a mutual understanding and a lot of goodwill there. | think that's only growing, and so that makes 
me optimistic. 


Ashley Gold 


Well, on that optimistic note, we will wrap up today's panel, and thank you guys very much for 
joining us. 


-18-