STATE OF THE NET
Hope Springs Eternal?
Assessing the State of
U.S.-EU Digital Cooperation
Internet LIVESTREAM BY
Sehr FEBRUARY 28 2022 Internet Society
Hope Springs Eternal? Assessing the State of U.S.-EU Digital Cooperation
State of the Net, Washington DC - Feb 28 2022
We're gonna start by having the panelists go down and introduce themselves talk a little bit about
their work and what it has to do with EU US relations. So let's start with Sean.
Well, good morning. I'm Sean Heather. I'm the Senior Vice President for international regulatory
affairs at the US Chamber. | also cover antitrust and have been working for the last 10 or 15 years
on US-EU related matters, going way back to the TEC (Transatlantic Economic Council), if you can
remember that, which was a Bush - Merkel initiated initiative, and then more recently the T-TIP,
and now the TTC.
I'm Jen's Jeppesen, | represent Workday. I'm based in Brussels, Belgium and | look after Workday's
policy and corporate affairs activities in the European region. It's a pleasure to be back in
Washington, it's been more than two years, and that's a long time for somebody who's been
working on transatlantic issues for for many years now. So thanks for the invitation. | appreciate it.
Hello everyone, I'm Alex Greenstein, I'm director of the Privacy Shield program over at the
Department of Commerce. | got into this through a little bit of a roundabout way. | worked for 19
years at the State Department on the, most recently, EU issues, and so ended up working on data
privacy out in Brussels, and | was director for the European Union over at the White House, and
then | was working on the National Economic Council doing tech policy, and then moved over to
Commerce, and have been working on this, and we've been working assiduously on our
negotiation of an enhanced Privacy Shield framework to restore stability to transatlantic data
And I'm Alina Polyakova, I'm President and CEO of the Center for European Policy Analysis. As an
institution, we work a lot on transatlantic issues. Obviously, Russia and Ukraine has been
dominating a lot of our work more recently, but in particular, have been working for many years
trying to understand how authoritarian states like Russia, China, and others, are trying to use
basically Western companies to censor the kind of information that their populations are able to
see, something that we call digital authoritarianism and, as part of that, how the transatlantic
community should come together and respond. So, a lot of issues around the TTC now, obviously,
broader questions about some legislative efforts in Brussels on the DMA and DSA, and how that
hurts or helps transatlantic decision making, unity, and tech regulatory policy things.
Thank you. With that, let's start right at the top with what's going on with Privacy Shield. | would
love if Alex could give us a briefing of what's going on with negotiations, what we can expect to see
in the next couple of months, and what some of the main sticking points are right now.
Sure, thanks for having me, and this is definitely a priority for the Biden administration. It's
something that really cuts to the heart of the transatlantic values and the importance of the
transatlantic economy, as both the United States and the European Union, and the role it plays in
the broader transatlantic relationship. So, a little bit of history lesson, we're dealing with the
fallout from the Schrems II decision which was regarding data transfers from Europe to the United
States using the standard contractual clauses however, and that's one of the EU Data transfer
mechanisms that, because the European Union has a presumption that data should not be able to
transferred overseas unless there is equivalent laws in some of the other country that's under the
General Data Protection Regulation, their data privacy law, and so the United States and Europe
have negotiated a series of sort of agreements on this issue to enable translate data transfers.
However, on previous occasions, this has been struck down by the European Court of Justice
regarding concerns about US government surveillance, and the availability of the limitations on
that, but also the availability of redress for EU persons who are concerned that their data might
have been inappropriately accessed.
We negotiated an agreement a few years ago called the Privacy Shield framework that was struck
down by the European Court. Now we are in the process of negotiating an enhanced privacy
shield that would address the concerns raised by the Court of Justice and the Schrems II case. It's
important to know that what we're negotiating is only about national security issues and
government access to data. We're not revisiting the commercial elements, the framework which
the court didn't have any issues with. It's important to note that this is something that is -- it needs
to be dealt with between governments, because this is essentially about national security issues.
What we're working to negotiate right now are something that threads the needle between what
the European Court of Justice requires under European Human Rights Law, and fundamental
rights, and then also sort of what is possible under the US Constitution, and then also what is, |
guess | would say, advisable, given the national security commitments the United States has, and
our need to protect the United States and our allies.
| think, as we've seen recently, it's a dangerous world out there, and that reinforces the need for
robust national security access to data, with appropriate limitations for protection of fundamental
rights. That's what we're focused on right now, this has definitely been a little bit of a long haul.
We definitely recognize that there has been a lot of instability in data transfers, and the companies
are operating in an environment of uncertainty right now, about whether or not it's permissible to
transfer data. That's why we and our partners in Europe are working to try to conclude this
negotiation as quickly as possible, because we recognize that's having an impact on both US
companies, but also European companies who want to be able to use US services, and also, to be
honest, do business here and operate their operations and factories and things like that here in
the United States.
And can you give us any timelines?
(sighs) It's a question | always get, and | can't really make any predictions, but we're definitely in
the homestretch. Hopefully, we'll have good news soon, but | can't make any promises.
Okay, let's move on to Sean for a little bit, and talk about some of the impact on businesses this
uncertainty has had. What are you hearing from the business community on what it's like to wait
on a new Privacy Shield, and not be sure if your standard contractual clauses will stand up, and
how you're sort of feeling in the meantime? More broadly, can you speak to just the EU-US
relationship, as the EU continues with new bills about data, Al, the DMA and the DSA, and how the
US and the EU can align, when the EU is being so much more aggressive than the US is?
Well, there's a lot there. Obviously, this is the State of the Net conference, you all know, more so
than maybe anybody else | speak to, how important the flow of data across borders is. It is the
lifeblood of the modern economy, and so it is natural for companies do want to find legal certainty
and terms of being able to support those data flows. What is important, and what Ashley said, is
that while a lot of the attention is on Privacy Shield, the court decision a year ago last July said that
Privacy Shield needed to be struck down, but they put a giant question mark next to standard
contractual clauses, and standard contractual clauses are the workhorse of data flows.
Privacy Shield is important, its symbolic. lots of small and medium sized enterprises rely upon it,
but when you look at the bulk of the data flowing between the United States and the EU, it flows
underneath standard contractual clauses. This giant question mark, | think, has chief privacy
officers and general counsels of major companies, both in Europe and the United States, kind of
scratching their heads saying, What does this mean? And, effectively for the last 18 plus months, it
has not meant that DPAs across Europe have brought judgments. We have not seen decisions
coming down invalidating standard contractual clauses, but we do see signs that there are cases,
that are in the system, and that those cases that are in the system are increasingly on borrowed
time. They are not the kinds of decisions that the DPAs across Europe can continue to push off,
they're going to be forced, | think, at some point this year to begin to make some determinations
and decisions, and the question is, if standard contractual clauses are an invalid tool to transfer
data between the United States and the EU, we have no legal mechanism by which to do so.
So, the pressure is really on Alex, and you and the Biden ministration had made this a priority
from day one. It was a seamless transition from the last administration to this. This is issue
number one, as far as the Chamber is concerned, in the US-EU relationship, if we can't solve for
this, there's no reason to have cooperation in the TTC. The entire TTC agenda, when you look at
the 10 working groups, all has components about data and the ability to move data at its heart.
So, this is job number one.
lam optimistic. There are signs, for those who are watching this closely, that the EU understands
the importance. I'm also optimistic that, sadly, because of the events of the last week or so, that
there may be even a greater sense of concern and importance to ensure data flows between the
United States and Europe. You would never want to say there's a silver lining to an invasion, but |
do think that this has put a renewed emphasis on the importance of transatlantic ties. So, | am
optimistic that we might see, and I'm not in the negotiating room, I'm not at the table, but | feel
like we have a chance to see something maybe mid spring, late spring, early summer, that would
be the window, which I'm watching right now.
Switching gears. You said, the state of transatlantic relations? Most people think about the US-EU
relationship, and they talk about the economic relationship. When you do that, in most cases,
people think about trade, the US trading partners. But the US-EU relationship is different, it's really
a relationship based off investment. It's very unique. We have trillions of dollars of US investment
in Europe, there are trillions of dollars of EU investment in the United States. There is no other
economic relationship in the world that is built on investment first. It's because of that investment
we trade with each other. | think it's still true today that there is more US investment in Ireland
than there is US investment in China. That shows you just how significant the relationship is.
Why do | say that? Well, when we've seen past dialogues between the US and EU, | think there has
been kind of this sense of hope springing eternal, which | think is today's title for the conference,
or at least this session of the conference. My view is this, the US and the EU have been
cohabitating, but never got married. We have this deep relationship that we have become
comfortable with each other, and when we tried under the T-TIP to formalize that through an
actual marriage, folks didn't like that too much. So, we're now back, through the TTC, at a
negotiating table. My concern, about the way in which these negotiations are set up, is almost
every issue on the TTC agenda, Europe has decidedly put out its markers as to where it wants to
go on Al, where it wants to go on competition policy, where it wants to go on data policy, and
there's not much to negotiate.
There may be conversations we can have on cooperation vis-a-vis China, on cybersecurity, some
of the other agenda items, but on the core regulatory issues that are going to govern data
governance and the digital economy, Europe has decided the path they want to pursue, and |
don't think it is interested in listening to the United States, or discussing where the United States
has views, and unless Europe is going to sit down and have conversations like that, | think the TTC
is gonna have a rocky agenda.
We're definitely gonna get back to that, but | want to make sure that Jens here could talk about
what Privacy Shield means to companies like Workday, companies of similar sizes, and just the
view from Brussels. Why do you think Brussels has such an intention to set these rules for the
world, and to take a leading role here, and get these bills passed? And what does it ultimately
mean for relations with the US, and whether they can lead together against authoritarian
How much time do | have? (laughs)
A couple of minutes.
A broad question, but beginning with the Privacy Shield and data flows. Workday is a provider of
software applications for enterprises across a whole range of different industries, from banking to
automotive, manufacturing, energy, etc, etc, pharmaceuticals, we have something like half of the
of the Fortune 500 amongst our customers. Many of those companies are European
headquartered, so we have more than 725 EU headquartered companies that use our services.
These are world leading companies, and they need, just like American companies do, to manage
and optimize data flows across borders to run their operations seamlessly across the globe, really.
Sometimes the issue has been framed as really focused on social media companies and their use
of data. This is really not the case, this cuts across all industries. It cuts across large companies
and small companies as well, it's important to note.
Following the Schrems II decision in July 2020, we had European organizations putting out data to
demonstrate the impact of Schrems II, and the uncertainty that that has created on European
businesses. It cuts across all sectors, and it cuts across all sizes of companies. We see small
companies, in particular, have been extremely reliant on the Privacy Shield. They now have to use
standard contractual clauses. This is a very difficult process for a small company to manage, and
they require a lot of legal assistance to be able to make this work. This is really issue number one
for the EU-US relationship at this point. | think, like Sean, we're super excited about the TTC, we
think there is an absolute need for Europe and the US to work productively across all of these
areas. | think this current geopolitical situation, that we have been learning with for the past
number of months, just emphasizes the importance of that. It is really, really essential that Europe
and the US try to see eye to eye on as many of these issues as possible, understanding that there
will be differences in how countries legislate. EU countries choose -- have, to some extent, some
different values that express themselves in different policy choices from the US. That's normal.
But, you do have to ensure that there's as much cooperation and alignment as at all possible.
To your question about, why does Europe move ahead so aggressively with legislation and policy
in this space? Taking European politicians at their own word, they sometimes frame it this way,
they say, in this global technology industry. that is technology services and products that are
integrated, not only in the way we work, but in our private lives, education, healthcare, etc, etc,
that they choose a road where they've taken a proactive approach to regulating, rather than
seeing a more market led development, where technologies evolve and get deployed, and then
you try to deal with issues as they come up. This is, | would say, a deliberate choice of European
politicians, that has advantages and disadvantages. But that's, at a very high level, how the
Thank you. That brings us to Dr. Polyakova, I'm so happy to have you here today. There seems to
be a lot of agreement on this panel that having an EU-US relationship over data flows, and
anything on the Internet, digital, is important for the geopolitical sphere. As we've seen the past
couple of days, the Internet is very involved in what's going on right now. We have both Russia and
Ukraine making demands of American Internet companies to either invalidate accounts or to de-
monetize accounts. Do you, in your view, think it is important for the EU and US to be aligned on
all these issues, to be able to deal with the greater geopolitical problem? Or, is there room for
some divergence between the two countries?
Well, thank you so much for your question, Ashley. | love going last, because | have an opportunity
to respond to what everyone else has already said. | actually just wanted to pick up on where Jens
left off, on my we have seen a real divergence in the approach between, certainly in Brussels and
Washington, when it comes to the tech regulatory agenda more broadly. | think, of course, Privacy
Shield is very much at the center of it. | couldn't agree more that, unless we have agreement on
Privacy Shield, then what is the point in the TTC, really? Because how are we going to make any
forward momentum there, if we don't have the basic agreements on data flows. The TTC is set to
meet sometime in May, mid May, now in Paris. It's been very unclear what the accomplishments
have been, and where the agenda is actually heading.
What I've noticed over the last several years working on these issues is just a very different lens
for understanding the geopolitics of technology in Brussels and Washington. In the European
perspective, a lot of that focuses on individual data protection and privacy, in the United States the
lens is much more about national security. It's very difficult, when | go to Brussels or other
European countries, to make the point that this is about national security, and that we have to
prioritize that. What's happening today, certainly, with the renewed Russian war in Ukraine, lends
just much more credibility to that perspective, that number one priority, while data protection
individualized is deeply important, but not when it goes against our broader transatlantic security.
It's been very concerning to see what has been a freight train of a regulatory agenda coming from
Brussels, which, by the way, doesn't fully represent the views of the European member states
themselves. There's actually quite a bit of divergence, certainly, with some central Eastern
European countries, the Baltic states, and elsewhere, from what has become a very French and
German driven agenda on the tech regulatory side. There's a tendency to see things like the DMA
and the DSA, and the Al act and all these things we see coming out from Brussels, as
representative of the European perspective, but, in reality, it's not necessarily. There are a lot of
smaller companies that aren't being classified as gatekeepers, medium-sized companies in places
like Scandinavia, they have a very active tech market, have some concerns, that they don't want to
clamp down on US companies just to be replaced by French companies.
There's a lot of divergence on how the European laws that we're going to see enacted in the next
several weeks here, most likely, are going to affect the European ability to compete. The big
question for Europe, and this goes back to, again, about why has Europe taking this leadership
role on the tech regulatory agenda, even though most of the companies really talking about are
not European companies. | think the reason for that is because there's a real fear of being left
behind. Obviously, the US still leads on technology innovation, and China is actively aggressively
competing there, so what is really Europe's role?
European policymakers have carved out regulation -- sometimes, unfortunately, in the service of
regulation versus the service of innovation -- as their leadership in the world, part of their
leadership portfolio. This is where Europe sees its ability to have impact in the world, through
norms, international standards, etc, but | agree that it's probably a little too early for that, because
some of this technology is still very nascent. | think now that we look back, look at what's been
happening in Russia, and China's also part of this dynamic, but to zoom in on Russia a little bit,
deeply concerning developments about how the the Russian government has been using and
abusing western tech platforms in the service of digital censorship, in the service of digital
Just over the last several days, we've really seen a combination, or what has actually has been a
years long effort by the Kremlin, to force companies to comply with increasingly draconian local
laws, the so called new landing law, as it's called, that is affecting basically all companies, social
media, broader tech companies, platforms that are operating in Russia, and de facto making them
much more vulnerable to things like detaining, arresting employees of these firms if they don't
comply with these draconian laws. They're demanding the takedown of content that is truthful
content, which, of course, companies have been resisting for a long time, and it's important to
know, paying a lot of fines.
But, at some point, | think they come to a question of, do we want YouTube in Russia still, and of
course, YouTube, for example, has been the only reason why Russian opposition voices or
independent voices have had any avenue for expression in a deeply state controlled environment,
or do these companies just pull out, and basically cede this information environment completely
to the authoritarian state? | think it's a really difficult situation that firms find themselves in. It
really should be the prerogative of the US government and European leaders to stand up for
democratic values of free expression, and to support and push back on some of these very
aggressive authoritarian tactics that we see deployed, but right now, the companies are kind of
left in the lurch a little bit to figure out for themselves.
Yeah, absolutely. It sort of brings me back to this idea that abroad, the Biden administration,
similar to the Trump administration, they're in the position of defending their own tech companies
to foreign governments that wish to tax them, or put regulations that seem to be focused just on
the biggest US companies, but at home, they want to regulate them themselves. Maybe you could
speak a little bit to this tension, that the US government seems to defend our companies abroad,
but at home there's a pretty robust competition agenda going on, and a desire to have more
content moderation and more privacy, not saying we've passed many laws, but there are many
efforts. Can you speak to that tension?
Sure. There are three things you raised there. One is this competition policy question, which is
more akin to the DMA, you have a conversation there about federal privacy law, and then you
have a conversation about content moderation, which, for the most part in the US, is a debate
about 230. In the competition lane and the pure competition lane, | don't see the Biden
administration fundamentally having a different position abroad, from what they have at home.
The administration has made it clear that they do not support the DMA, as drafted, they've made
it clear to the Europeans that there's a variety of things that need to change. At home, the
domestic legislation that is most furthest advanced in the Senate, the administration has not put
out a statement of administrative support for that. In fact, you see large amounts of folks on the
Democrat side of the aisle who have deep concerns with the way in which that is drafted, which is
very similar to the DMA.
Where | think you have tension in the administration is, what should regulation look like in this
space? There, | don't know that they have an answer, they know what they don't like, but I'm not
sure they know what they do like. So, when they put their opposition out there to Europe on the
DMA, when they had withheld their full support for what's happening here at home, | think that's
entirely consistent. What one should do about platform regulation is where | think the
administration is still trying to figure out what makes sense, what would look like good regulatory
practices, how much of this should happen as a matter of antitrust law versus regulation? In the
United States, we're trying to do it as an amendment to our antitrust laws. In Europe, they've
decided not to amend their antitrust laws and do it as a matter of regulation. These kinds of
questions, | think, are very much still unanswered with the Biden ministration.
When you move to the privacy space, obviously, as Alex said, the debate among US- EU is not
about whether or not we have adequate protections for privacy in the United States from a
commercial standpoint, the Europeans accept it, but we in the business community don't want 50
state-based regulations, we want to see a federal privacy solution, the Chamber is very much in
favor of that. | think the administration is very much in favor of that. | think the details are
oftentimes associated with how you construct things like private rights of action, and what
happens when it comes to to a violation. All of that will take some time to sort out, but | think
there is a common agenda there. Certainly, | think Europeans would welcome a federal privacy
law. There's lots of European investment, as | said, in the United States, they don't want to have 50
state privacy frameworks by which to address.
In the third area, which is this content moderation debate. This is the one where | think it's the
toughest to figure out what is a legislative or regulatory path forward. Obviously, you have clear
requirements under our constitution for free speech, but we also know that you can't yell fire ina
crowded theater. What is the online version of that has yet to be figured out -- whether that is
figured out over time as a matter of common law, or courts, or whether that's figured out by the
United States Congress. We're a long way from having that answer, but the urgency is clear. It's
not only being sorted out in Europe through their efforts with what they call their DSA, but | see
dozens of countries around the world who are putting content moderation frameworks in place.
Many of those are within authoritarian governments who are dictating terms, what is legal content
versus illegal content. When you look at these regimes, it's very unclear. Companies are left to try
to decide for themselves how to interpret the law, and then the ways in which they must comply in
many cases are completely unreasonable and outright crazy. So, that space is the one that, both
from a policy standpoint as well as from civil society and the business community, is where | think
there is the most room to figure out what the path forward is.
Again, on the competition piece, | think the administration is clear on their opposition to both
approaches, but they're not clear on is what the right approach should be.
Does anybody else have anything to add?
Yeah, if | could just chime in there, specifically on the content piece, because I've been working on
issues around your counter disinformation efforts for too many years, I'd like to admit. One of the
things that we have to really pay close attention to is the precedent setting nature, which | think
Sean was just alluding to, some of the legislation that we see emerging, talking about online
harms and not really defining what that means, talking about illegal content. Basically, some of the
European proposals have been copied and pasted by countries like Russia into their own law, and
now the very same language is being used to repress and oppress independent voices saying that
this extremist content is illegal content, that there's online harms in certain content, which is of
course, truthful content. So, it's being used in the service of censorship and repression, rather
than what they're supposed to be used as.
Did you have something to add, Alex?
Yeah. that is a very good point. Having observed EU-US discussions purely on privacy, but also on
tech policy more broadly, One of the things is that there can be a little bit of an excessive focus on,
| would say, the instrumentalities of how to implement policy, and the differences that we have
there. That can sometimes obscure the fundamental sameness of our values. That's something
that really both sides could stand to work through, is looking more at how we implement our
policies and practice, and how that reflects our fundamental values.
This is where we also hit this real problem -- we haven't talked about this yet -- around concepts
like digital sovereignty as well. This is the same concept that the Beijing uses to talk about their
desire to control the online space. This concept has also become pervasive in the European
debate. And so, | think my question is, where did the values come in here? If the United States and
Europe are divided on the tech agenda front, then we'll be divided on the values front. | think we
need to start really pushing our governments to not leave companies just out there fighting the
large authoritarian states on their own. It's long overdue. Frankly, | think the current situation is
just so deeply disturbing .Hopefully, | think there's a silver lining, hopefully the unity we're seeing
right now between Europe and the United States in the response to Russia will be channeled into
greater cooperation on this particular agenda as well.
The example I'm thinking of here is in terms of privacy, certainly we have different approaches to
it, but from the United States standpoint, we argue that it's not a decision between privacy and
security, you can have both of those things, but you just need to have the right policies and
approaches in place. We're trying to dig into that.
One of the things is -- it's gets less attention than Privacy Shield, but -- there are discussions now
at the Organization for Economic Cooperation and Development about what are the appropriate
safeguards and limitations on government access to data? Really, this is bringing together
practitioners from the national security communities in Europe and the United States, along with
people who are responsible for fundamental rights, and looking really deeply into what are the
best practices around sort of government surveillance, and we're finding there's a lot of
commonalities there. Certainly, we have different legal systems in Europe and the United States,
but when it comes down to it, the values that underpin them are quite similar, and you find a lot
of best practices. That does give me some hope for this moving forward, that we have sort of
more in common than we have different, and then also the current crisisdoes focus minds on that
a little bit. That's my two cents.
Yeah, thanks Alex, that makes a lot of sense. | recall, Ambassador Bill Kennard saying in meetings
that, with the EU and the US, it was the narcissism of small differences. | think it's a pretty apt
observation, given that the policy issues that are being debated and the values that underpin
them are so similar, whilst the institutional setup and the political dynamics are different. You
mentioned the Franco-German locomotive is back on track, the French-German locomotive of
European integration. After Brexit there's a big UK shaped hole in the Union, where there was a
push or pull towards open trade, restrained intervention in markets and so on, and so we really
see that now.
The digital sovereignty concept that you mentioned, President Macron likes to talk about strategic
autonomy. We currently have the French presidency of the of the Union, and this has been an
incredibly strong narrative that runs across all kinds of policy areas. Just one quick example, there
are cybersecurity standards being developed for the entire EU. That's entirely sensible to have
that cybersecurity framework for a cloud services across the EU to replace national standards.
But what the French have tried to do is to introduce what they called sovereignty requirements, so
that certain parts of the cloud services market can only be serviced by European companies, with
maximum percentage of foreign ownership, with no involvement of non-EU staff, with strict data
localization requirements in place. So, we're seeing this political narrative now really being
reflected in different policies across across the sphere, and in a way that is probably actually
actively harmful to what the cybersecurity framework seeks to put in place, because what you do
not want is to have it such that European organizations, public sector organizations, or
companies, cannot use the best possible cybersecurity technologies in the market.
So, there's a lot of work for us to do on this.
If you look at the way things are going, it seems though data sovereignty and this balkanization of
the Internet is happening all over the world in Russia, China, India, US, Europe, how do we sort of
come together and have a free and open Internet again, where every country doesn't have
different rules, and the Internet doesn't look a little different depending on where you are? Is
there a coming back to that? Or have we gone too far?
| can start us off there, if you don't mind Ashley. We don't have free and open Internet on a global
level anymore, and we just don't live in that reality. | mean, go to China, go to Russia, go to
Myanmar, obviously. At this point, we are in a position, unfortunately, having to defend the free
and open democratic online space. This is exactly where the squabbles over details are deeply
unproductive, and go against the broader strategic agenda of making sure we're all on the same
place. Because we have to defend that space, we have to defend the ability of people to have
access to truthful information, a variety of sources. Companies big and small play a deep and
huge role in that. My concern about things like sovereignty, and conversations, especially on cloud
services and other issues, are deeply concerning, because it's just reinforcing the splinternet
model in a different sector. We have to really shift lenses, because if we keep moving in this
direction, we're just going to reinforce the authoritarian vision of the online world, and it's not the
vision, | think, that many of us here share, or that many individuals would like to be a part of,
frankly. That's the big issue today, whether we can move away from -- the EU wants to lead on
regulation, and we can put innovation on the backbench there, where we are on competition
policy, etc, etc, -- we do align on the bigger, broader principles. We have to come back and
compromise, and a lot of that compromise has to happen in Brussels, because they have been so
much further along on setting out their demands and their agenda, and the US has been lagging
behind there, and hasn't been as engaged in some of these issues until the current
administration. So, there's a lot of work we have to do.
| don't want to, you know, raise the alarm bells too much, but we're in a really bad place right now.
We have to move really, really quickly to ensure that what we still have, that we're going to have
for future generations.
I'll just build off of what you were talking about. | think the one area where we risk atomization or
fragmentation is artificial intelligence. The EU has moved forward with legislation last year, a very
broad and ambitious piece of legislation, it's early stages yet, yet it has a number of very sensible
components that | think will find a receptive audience on the US side. However, it is not clear that
it will hit the right balance between the dual objectives, which are to create an ecosystem of
excellence and innovation, as well as an ecosystem of trust, and a vibrant market for trustworthy
Talking about -- back to the TTC, we would very much encourage the US government to be as
engaged as possible, and as forward leaning as possible, in terms of dialogue with EU
policymakers in this space. The regulation is going to set out technical standards for compliance,
the worst outcome would be if we have a set of standards coming out of Europe that are then not
compatible with what NIST, for example, has been working on here, something that Workday has
really supported. So, if we can use the TTC to facilitate alignment and interoperability, and these
two pieces docking together nicely, | think that would would be the best outcome for all of us.
Yeah, | think you really put your finger on it, in terms of the word that | always focus on,
interoperability. We don't have to have all the same laws and approaches on the Internet, but we
do need to ensure that they work nicely together, and that there are ways to build bridges. That's
essentially what Privacy Shield was about, you had an EU law that functioned differently than US
laws, but you had enough US law in that space that you could make an argument that, if you add
some things to it, it is essentially equivalent. That's kind of the spirit that we're looking at, is finding
ways to work together, and that also gets to the issue of trust, and trusting that, yes, other
systems may look somewhat different but, since we operate on the same values, that we can
accept that that will probably get you to the right place.
If the question was, where are we headed? | think the answer is, we are not. We are in a state of
fragmentation, the question is how much more fragmented we become. If you listen to part of the
last session with Congressman McCaul, he talked about essentially decoupling with China when it
comes to technology, the importance of export controls, the importance of not allowing tech
transfer for national security concerns. If Europe decides to take a maximalist approach in terms
of divergence with the United States, on DMA, on DSA, on Al, on the cloud -- we haven't even
talked about the Data Act, which just was put out last week, which is entirely an effort to say, look,
we're going to redefine what the definition of data ownership means, what it means for B2B
business relationships for data, we're going to compel the sharing of data, which is a property
right, fundamentally. If Europe decides to go down completely divergent paths from the United
States, we are talking about a decoupling between the United States and the EU on digital
When | heard you lay out the cloud stuff, | said to myself, are we talking about France and Europe,
or are we talking about China? The idea that you're only going to have a certain amount of local
content, you're going to only allow certain amount of foreign direct ownership into a space, these
are the tools China has used, that have caused the challenges we have today in the US-China trade
relationship. And so, to the degree to which Europe is headed down that same path, we will end
up in a position of decoupling. That's going to be very difficult when you look at, again, where |
started, our relationship has been built on investment, we have invested deeply in each other's
markets. That investment is something that American businesses are interested to continue to
make additional investments in, and European businesses are interested in making additional
investments here in the United States. So, we need to figure out how to get around the table at
the TTC and work on these issues, but we do have some serious challenges, given where Europe
has decided to set out its agenda, and where we stand today in these conversations in the United
Since we have Dr. Polyakova here, and there's so much going on with the Russian invasion of
Ukraine, | just want to ask you, what has been sort of the most striking thing to you, in the past
week or so, that you've seen online having to do with the social media companies, Russia, Ukraine,
and the attempts at censorship and even just a lot of the misinformation we're seeing? Has
anything been particularly shocking to you or different?
Well, it depends what the relative starting point is for shock, right? | think we're in a much better
place than we were, for example, in 2014 when Russia invaded Crimea and eastern Ukraine, which
is when | started working in disinformation issues, where the Russian narratives were really
propagating into Western media, and they were being spread very widely on social media. Then
we saw her own ability to really grasp the importance of that, then, of course, came to us here in
the United States in 2016, and then elsewhere.
I've seen how companies have actually learned a huge deal over the last eight years, and have
been quite active in removing content, fact checking content, and this has really been a thorn in
the Kremlin side. One of the big conflicts that we've seen emerge in the last week was our fact
checking, and Meta's policy effect of fact checking content, labeling content, and the Russian
government demanded they stop doing this, or they're going to basically start limiting access to
their platforms in Russia. They have been doing that, and then only partially complying with this.
Again, | think companies have been trying to push back. One interesting development has also
been the European Union now banning Russian state sponsored media outlets, like RT, Sputnik,
and others. My understanding is that the companies are following the EU now, | guess, proposed
law on this, and that's been a really positive development.
The big question is, there are companies like TikTok, where are they going to go? Platforms that
are operating in these authoritarian states, but are not necessarily as concerned about issues
around false misleading information? | think we have to ask ourselves, do we want our children to
be using Facebook or Instagram or TikTok, when we're talking about control of false information?
It's been a much better situation, | think governments have, especially the US government has,
been very effective on the broader information messaging side. Certainly Ukrainian, certainly
people in Central Eastern Europe, are much, much more aware of disinformation, and have a
much more critical lens on it. To be fair, or to be honest | should say, it's been really depressing to
watch, as well, how deeply penetrating the Russian state propaganda has been in Russian society,
which, again, is why go back to the point of, we have to fight to maintain freedom of access of
information in these authoritarian states while we can, because that window is closing. The
majority of Russians, despite the very brave and courageous Russians who have been protesting
the war, and getting arrested and thrown in, and beat up and all these things last, last several
days, that's still a minority. The reason for that is because most people are buying the state
narrative, and why? Because they don't have access to other information, they're watching state
sponsored media, because that is the mainstream media, and that is the dominant information
source for many Russians. We see what that leads to.
It's a better situation that companies have learned. Unfortunately, | don't think governments have
learned as much, because we still don't have just a basic regulatory framework that will give
companies some guidance on what they should or should not be doing. I'm not talking about
things that we were talking about earlier, but just some basic guidance. Now we have companies
doing all kinds of different things, as they have been for many, many years, and it's also creating a
lot of loopholes. Twitter may be able to remove something, but Facebook is not, and etc, it goes on
like that. That is really limiting our ability to counter disinformation and false narrative on the
online space, but | do think things are better than they used to be.
Yeah, just last night, Meta announced that they took down a coordinated and authentic activity
attempt, but it reached far fewer people than it -- maybe even, whatever, a couple years ago --
nothing like what we saw in 2016 with the US election, it was a much smaller impact. A lot of what
me and my colleagues have been seeing in the past couple of days is, it's not so much the
sophisticated online disinformation campaigns, it's just regular people going online and
retweeting something that isn't from the current conflict, or was a picture taken out of context, or
just something that was totally unrelated, but you got a bunch of people rallying in support of
Ukraine to retweet it. We see a lot of confusion there, too. So, the companies are in a tough
position, you'd like to see the support for Ukraine, and all of the retweets and the interactions
we're seeing, but even some of this positive content or pro-democracy content is not accurate. So,
there's a lot to unpack there. | just want to make sure before we wrap up, if anybody had anything
else to add broadly about Privacy Shield, anything we missed. And you said in a week, right?
Next week, it's done. Yeah.
Did you want to add anything?
Well, | think it's just worth pointing out that this is a very concrete concern, the Privacy Shield, but
behind that sits this whole other dimension of EU-US issues in the technology space, and looking
at the geopolitical situation that we're in right now, this ought to focus the mind in terms of
forging, really productive cooperation, on this in the very short term, and on the other issues
going forward. That should be something to strive for.
| know that's definitely our hope. | can say that, in these negotiations, we have really strong
partners in the European Commission. We have worked with them on these issues for a long time,
and | can say definitely, over the years, we have developed a shared language, and they've
developed a deeper understanding of our approaches on surveillance policy, and there's definitely
a mutual understanding and a lot of goodwill there. | think that's only growing, and so that makes
Well, on that optimistic note, we will wrap up today's panel, and thank you guys very much for