The u. S. And eu are each others leading partners in trade and Digital Services doing more business with each other than they do with others including china. This makes the rules surrounding International Transfer of personal data an important element in stable and global economy. The last few years, however, Data Transfers from europe to the United States have been under legal threat. The privacy law in europe, gdpr. Requires recipients of the data of eu residents to protect the data by taking certain measures even at the data is transferred outside the you of europe to the u. S. Or india or somewhere else. Concerns have been expressed that Data Transfers to the u. S. Might be called up in bulk surveillance by National Security agencies. Twice European Court of justice has ruled the existing mechanism to protect Data Transfers to the u. S. Is insufficient. The last three years the u. S. And eu have been negotiating a new arrangement, data privacy framework, which we will talk about today. It is not just about u. S. And eu. The last few years other arrangements seeking to cover the transfer of personal data has arisen around the world. Were going to talk about those and how they may intersect with the eu u. S. Framework. As increasing amounts of personal data move around the world, how can you be protected without creating multiple conflicting systems of government . We have a great panel to discuss this. We have Lucrezia Busa from the European Commission. She is on the part of a step a commissioner for justice the d. A. Renders Justice Didier reynders along with working on the privacy framework covering Artificial Intelligence, policy and values and transparency initiatives with extensive experience working on European Competition and digital policy. She is joined by steve lang Deputy Assistant secretary for International Information and communication policies in the loop Bureau Cyberspace and digital policy at department of state. Before taking this positioned in november 2020 two, he served as minister counselor for economics at u. S. Embassy in japan. Before that worked on International Communication policy at state for several years. He has served as u. S. Diplomat in mexico, china, taiwan, bangkok, and have been a. We have my colleague Kenneth Propp and nonresident senior fellow at the Atlantic CouncilEurope Center and adjunct professor of european law at the Georgetown University law center and a senior fellow with crossborder data forum. He is one of the leading nongovernmental voices on issues surrounding Data Transfers and privacy. From 20112000 15 he was legal counselor at u. S. Mission to the you where he worked directly on many of these issues. Last week failing to cancel release his most recent paper last week out to cancel release his most recent paper. We are allowed to have you with us. We have had an announcement earlier this week from u. S. Commerce Department Regarding negotiations for data privacy framework and it looks like things are coming to the culmination. Could you give us an update . Also, we note the data privacy framework is reported has received criticism in europe from ngos and members of the European Parliament, how sustainable do you think the new framework will be . Are another legal challenge . Expecting another legal challenge . Lucrezia thank you. Good morning everyone. I should say im speaking on my own capacity so whatever i say cannot beat me to the commissioner mitigated by the commissioner. Expanding our process and most important steps as you correctly said, we are presented job decisions some time ago. This decision being assessed by european protection law, European Network involved in authority. They have express an opinion. Also, European Parliament has given an opinion and after that the procedure for sees the text omitted to the court submitted to the court of the 28 Member States and after that subject to the approval by 28 Member States that European Commissioner can adopt the decision. We are on track with all of the procedures and be we hope to adopt the decision soon. Two important steps have happened this week also on the u. S. Side. On the what and the fact that one end the fact that it has been planed intelligence agencies have abated evaded the guidelines that take into account the new requirements that are containing executive order that was adopted by President Biden last year then the second important step is the eu and switzerland and norway have been recognized as sorry, i should stay norway heaven recognize as the qualifying stays. That means these are the state that can benefit of the new safeguards and the new mechanism that has been created by the new executive order of President Biden last year. Given these two steps are important for the entry to the decision once it is adopted. After a bit of an explanation on our side of the important steps, to reply to your question on the stable the stability of the arrangement we have put in place, we are confident on our side that these arrangement is stable and meets the requirement of our European Courts of justice. Equivalent to the Supreme Court of the u. S. Judgments are very important to us and latest adjustment judgment amounts Privacy Shield constituted our mandate in negotiations with his counterparts in u. S. The most important requirements from the Court Related to the introduction of sectors on one end and the other end to adjust avenues for european citizens. The new arrangement we have put in place has creates place creates important safe because cuts when it comes to the safety. It is important to say these safeguards are concrete when it comes of the reasons why this data can be collected because there are it is explained in the executive order there are a number of priorities for which these data can be collected. The conditions under which this can happen, the time under for which the data can be retained. It is important is leach try to spell out that we try to spell out during the new arrangement to be as concrete as possible when it comes to the nature of the data that can be collected to the seriousness of the threat and also to the likely impact on the rise of the universe the collection. For each of these important considerations, we have a concrete the terminations determinations and also, this will be subject to an oversight. We have created the creation of a new Data Protection review course which is different from the previous. The Data Protection review court is important because it facilitates access to address to european citizens of who can access the court in their own language and the procedure in the court is facilitated and what is important is the fact that court is independent because it is considered by judges that are appointed based on the system. They cannot be removed. It is important because it creates understanding the judgments of the course, the decisions of the court cannot be changed by any member of the executive bodies in u. S. All of these we are confident. On the safeguards and the remedies and this is why we cannot exclude a challenge before the court, we confident this time the result will be a positive one. Let me press you on the timing. Businesses, every time i talk to someone about this in the business world, it is about how soon will this be done. Weve had the announcement from the u. S. This week. What is your thinking on the timing of the actual issuing of the final adequacy of determination . Lucrezia i can only say is going to be soon. Soon this month such as jess you all stay tuned on this. Suggest you all stay tuned on this. You will not be disappointed. We will be watching. Let me turn to steve lang, although the u. S. Arrangement has grabbed attention, it is not the only game in town. U. S. Has been involved with other potential arrangements on Data Protection such as the data free flows with trusts. In the asiapacific privacy rules. Could you give us a picture of these other initiatives multilateral initiatives and the approach of the by and administration . How do they relate to the gdp are and euus system . Are these alternatives to each other are they things that can be linked together somehow . Steve thank you for this opportunity to join such an esteemed panel to talk about a really important subject. I would say businesses have flagged for us many times that having more tools in the toolbox can assist crossborder Data Transfers. We have counted more than 150 Data Protection laws currently in force around the world. No two of them are exactly the same. Regulatory divergence has contributed to digital trade restrictions that mean that no one tool could possibly address all the laws at the same time. As a result, United States has adopted all of the above approach that includes the use of Data Protection framework for useu Data Transfers following the appropriate adequacy determination of European Commission but also standard contractual clauses and model contractual clauses and binding corporate rules. However given the proliferation of Data Protection laws we are focused on promoting Data Transfers models and tools that promote interoperability among Data Protection regimes around the world and tools that are ultimately scalable, recognizing the variety of historical traditions, constitutional norms, and legal standards on data privacy and Data Governance around the world. We believe the crossborder privacy rules form represent a great example of this approach. Cbpr system is a government recognize data privacy certification system. Companies can use to certify their Global Operations international;y recognize standards. Requirements are based on recorded privacy recognized in 1980s and revised in 2013 privacy guidelines. These are these core possibles reflected in data privacy regimes around the world. There are nine economies that participate in the system as full members. United states, canada, mexico, japan, republic of korea, singapore, australia, chinese, type a, and philippines supporting 4. 4 trillion in trade and investment between u. S. And these economies and we are happy the United Kingdom has also applied for associate status and we hope they will be admitted soon. Frances thanks very much. Let me follow up and say, do you see how this might intersect at all with gdpr . Im wondering how the u. S. Government is seeing this as they get ready to sign finalize the Data Protection framework. Steve i think we really see these tools are in mystery. We feel there is a need for more than one option given the vast variety in different approaches around the world that are informed by different histories, backgrounds, and perspectives. Frances thank you very much. Jane, congratulations on the paper. It is a very clear explanation of the Current Situation and of these very many initiatives steve is just discussing. I would like to focus on useu part of this and then were going to expand the discussion more on the multilateral side. What is your view, having gone through some of the earlier iterations of useu data privacy arrangements, of the sustainability of this particular framework being put forward . What other avenues that see you u. S. Have to build some kind of Data Protection arrangement should this not prove to be sustainable . Kenneth thank you. It is great to have this opportunity this morning with such a distinguished colleagues of u. S. Government and brussels. Lucretia has outlined the key aspects of the new framework. It is very likely that there will be a challenge from the court of justice and the focus will be on these aspects necessity and functionality of u. S. Analysis and oversight for individuals in the treaty. Necessity is significant for the first time the u. S. Has actually agreed to to necessity. Theyve indicated it will be interpreted according to u. S. But if you look at the agreement itself you see that the concepts are very well fleshed out. There are risk of legitimate objectives as well as ones that are prohibited. One question that will arise before a court of justice has to do with collection. The framework which says all collections not prohibited but european [indiscernible] comes quite restrictive. That is an issue for the court. The other one and it is a legal proposal to sort out was how to strengthen oversight and mechanisms. U. S. Took steps here to strengthen oversight through the Intelligence Community itself. There is involvement of the privacy and civil agreement oversight aboard which is independent federal agency, not a part of the Intelligence Community. Then most notably the creation of Data Protection new court under authority of regulation issued by the department of justice. One can find aspects of the structure on redress that are different from house some European Countries structure it, notably created by executive action rather than by statute. It is technically administrative communal window it is called board and is nothing said about the possibility of a traditional body. Does that mean he is excluded but it is not specified. My initial assessment is the stands a better chance of being sustained by the court of justice than his two predecessors. If the court looks at the framework holistically rather than looking for something exactly laws and practice there are strong bases here. The standard is social equivalents essential equivalents. At the same time it is conceivable that the court could find u. S. Does not court standards, fundamental right standards for the reasons i have outlined. The court has tradition in this area and it sees fundamental rights as one of his signature topics. I think this is a to be determined question in the end. Your second question was what else u. S. And eu might do and it might seem perverse, i am grateful to be suggesting they should do more when ungrateful to be suggesting they should do more when framework comes into fruition but given the reality that the framework might not survive at the court of justice, i think it is important for washington and brussels to be thinking about other conversations that could be fruitful. I suggest in the report one of them is engaging trade and Technology Council and the second is perhaps having discussions in context of the digital trade commitment. Data privacy framework was not negotiated by the form. That was a conscious choice. It was an ongoing negotiation at the time. Had a friend bases and front bases and finally the agencies involved particularly on the e. U. Side not necessarily the ones that are leaders in the there is a bureaucratic complexities there. For now establish itself as a useful form for finding common ground. There are topics that could be brought in. For example, it is unfairly solid work on assessing release solid work on assessing Artificial Intelligence. Why not take up the protection of privacy risk which underlines this whole conversation. The second aspect is there is commonality between u. S. And eu on the concept of accountability, blink in rules to make companies responsible stewards for the data i think that profit as well is something that can be flushed out further bilaterally and multilaterally. The last one is an additional trade agreement. There were corrections on data flows and in those negotiations. There were errors that were addressed. On data, and that negotiation. As the u. S. Starts to add trade with additional regions in the world to go back to this conversation. Some interesting options there. I wanted turn to get reactions. The need to keep talking as we go forward. If there is a legal challenge it will take some time to play out. And thinking about these multilateral initiatives and how compatible they may or may not be. One thing that those of us who have tracked this of learned is the eu system uses gdpr, its a designation by the eu, its not a negotiation. How do you see that intersecting with these multilateral initiatives . Are they something that could be compatible with gdpr, is there a way to build a compatible governance system . What are your reaction on the bilateral issues and that we will talk about that more. The consolation is, we have no borders its an important part of our economy. It contains Important Information about people. That is where we speak about customer data, who people are, what they think. Other important things, and for our public policy, its important to protect privacy. It is why in europe we are trying to write these rights in our canon law. The european system is a system unlike other countries when it comes to inflows. You can move in, out. It is the community of production. It does not require that everyone has the same laws. We dont everyone with that being said, it will allow europeans to have information on their customer base. When we went over our regulation , it is something thats important for us. It is important to respect court cases. We are open to discuss with Different Countries ways to best protect data into see if one system offers this kind of protection. But protection not based on their system. We need to do so in a way thats recognized in our regulation. If we want a relationship where data can freely flow, things need to be done in a safe way. Because we have different principles and jurisdictions but we recognize the right to regulate differently. Where the u. S. Is contributing to help identify the ways to ensure that data is protected from government access. When it comes to principles, all of these other forums are very welcome. The discussion is welcome. [indiscernible] if you want special evidence of Data Protection. I would also like to say, that something we have seen in our context is a convergence towards different criticisms and motives. This means that the kind of professions recognize values. And that those values are enforceable. Even in these decisions of the union to allow data, it is true at the end of the process, the u. S. Has shown the world that these discussions are aimed at a constitutional system. There is a common level of protection. In the u. S. There is a designation drama as a certifying state. Thank you very much for that. National security has been a key element in the way that the eu has looked at this, the protection of data from National Security elements. While also having adequate sweetie arrangements with several countries that have strong National Security, like israel. How is the u. S. Seeing this link between these multilateral initiatives and National Security. Are we thinking if those are compatible with privacy protections . The other questions for you, the u. S. Does not have comprehensive privacy legislation. We have some legislation in the Health Sector and in particular, protections and the economy. In dealing with these other multilateral arrangements in the u. S. As a diplomatic actor in negotiations on those and fostering those, has this been a disadvantage or is it not a relevant factor that we lack comprehensive privacy legislation . First on the linkages between National Security and protected privacy. I think all i can say is that these are both important priorities that the United States take seriously and we want to make sure our multilateral arrangements are reinforcing both of those priorities. That is complicated sometimes but thats what we get paid for. In terms of the lack of a comprehensive u. S. Data privacy law. I would first say, we do have strong privacy protections of the United States based on our legal system. The fact that we dont have a single comprehensive law does mean that sometimes it takes more work on our part as diplomats representing the United States explaining our u. S. Privacy framework. I dont see it as a major disadvantage overall. Of course i will also add the Biden Administration does support efforts to pass a comprehensive Data Protection law in the United States and we also see that states are acting to protect data with several bills introduced in statehouses. I think there is bipartisan support on this issue and we are helpful we see Congress Getting closer every year to making progress on this issue. I want to also invite our audience to send in questions. We look forward to getting a lot of those and having some time after the next question for our audience questions. Please send those in. In your paper, you have written a lot about the links between the u. S. Eu system. These are the initiatives do use of talked about. How do you perceive those models of governance working together . As i said at the outset, we have more and more data going everywhere around the world and we dont necessarily conflicting modes of governance. What do you think are the opportunities, if you focus on a couple of priorities and what are the challenges that we will face in creating any kind of arrangement . The situation is ripe for multilateral work. In those meetings about governance around the world, we are at a great level of frustration being expressed on how the u. S. Is dominated or taken the air out of the room for 10 years now. There is an urgent need on the part of other countries in the world, with data across borders to service less costly and less burdensome than the one we have had for 30 years. The good news is, there are a burst of initiatives and to this desire. We touched on some of them. There are specific principles on government access to data, its very inclusive there. Also in europe, the council of europe which is a binding agreement on privacy is relevant. The most interesting new development a grouping including the g7 and the former apex rules that have provided a global path. This offers a kind of first assessment at the initiative. [indiscernible] that may entail further work on government access. Why there are regulatory agencies in those seven countries, while globally it has been limiting among companies. It has a chance a greater relevance going forward. I guess what i would say, we are seeing growing momentum in this area. Its encouraging seen these conversations taking place. Nobody knows yet how they will fit together and which one will become more significant. I think it is time for progress. Thank you for that. Let me come back to you and i have an audience question thats kind of technical. If there is a challenge by the ecj, will the new framework remain enforced during this process . At what point does the framework not exist anymore . And we have to start negotiations over . It remains in place and tell it is not. In the previous judgment, concerning it remains in course until it remains in force as the court judgment. What can happen is that can be an extension but in that case, its not up for the court to decide whether the conditions or intermediate our sanction. We have gone without private cy shields a place so it has worked for a while. There are limits. In particular, the courts have made it clear that it is on the companys as well. The legal system of the country where they are sending data. The court says the u. S. System in absence they deduct for additional measures. That the Companies May have used for their business. I want to come back to you on the National Security question because you do have adequacy issues with other countries. With israel you have National Security considerations, bureaucracy. How has this been addressed in other negotiations and other adequacy conditions, this concern about National Security agencies potentially being able to harvest data and look at data in excess . We cant hear you. The different systems go ahead. We assess Different Countries with different National Security systems. The problem of interplay has been the priority. Protecting National Security on one hand and privacy on the other. That is a common theme. There are ways to find a medium with these two priorities. Countries like japan, korea, u. K. , israel and others these are the same that we applied in negotiations with the u. S. Looking at the court judgment, we have looked at the sector and the remedies in place. All of them are different because it was explained, in a different way. Just to say, these countries also had to introduce modifications in their systems to achieve this level of equivalence. It has recently been the case in israel, they introduce changes in their system. And decisions before, but we are doing them. We are reviewing them. There is a process of review that goes on . In some cases, in the u. K. , if the system does not offer any more the level of protection. We have a question from the audience for you. This viewer mentions it creates a little more work as a diplomat to talk about privacy protections. The viewer would like you to unpack how you are handling these explanations so that we can understand the system in the United States and how that would intersect with other agreements . It depends on the context of the conversation. How we make that explanation. In a complex negotiation like the data privacy framework we have experts on both sides who are quite familiar with this is systems and each others countries. Often, we are doing public messaging and we have to talk about the various types of Legal Protections and just how the u. S. System works. For instance, our help data is protected by one piece of law and other protections are enforced by the federal trade commission or the variety of different ways that our various types of personal information are protected. There isnt a single formula. It depends on the conversation. Sometimes it can take some time to help people understand that there is more than one approach to protecting privacy. Let me turn to you, and the paper as you talk about the opportunities that are out there to move towards some of these multilateral initiatives, a couple of times you say when the u. S. Has a comprehensive privacy legislation or it would be easier if the u. S. Had it. What is your take on the importance of having privacy legislation if the u. S. Is going to be a leader in these particular initiatives . Will it limit the one that weve got or will they do the trick . Putting this politely, these are hard conversations. What is particularly striking about the role of the u. S. And a National Privacy law at a time when most other countries in the world do. Including countries that the u. S. Democratic countries. The privacy laws that have come across the u. S. Congress in the last session which may be back under discussion soon. Even that law does not Pass International muster and dramatic way. In fact, the provision and it were restrictive ones that pertain to china. There really is a sizable gap. Including some binding ones. The u. N. Is closing in information for criminal law purposes and cybercrime. What is your prognosis . We are about to go into an Election Year in the United States. What is your prognosis for whether we will get a privacy law . There have been some attempts on the hill. As you said earlier, i think we are closer than we have ever been. Whether that will translate into actual law during an Election Year. One other factor here is the issue of Artificial Intelligence has come along and seized the attention not just of congress but the u. S. Populace in general. There are privacy issues that are raised by Artificial Intelligence. Thats another important dynamic. Yes, exactly. Let me go to my question for our last round. We just have a few minutes so i will ask everyone to be brief. Kin makes an excellent point that ai and especially the release of chatgpt has raise the temperature on this and has raised more questions about privacy, Artificial Intelligence. When you look at the eus approach how do you see the intersection with ai, gdpr and is there a way to push that into the multilateral sphere. One of our readers asked whether there is a way to talk about establishing a dedicated body that would deal with Data Transfer by additional platforms. Can we create a data club or is that just too much to ask . A couple of complemented questions with just a couple of minutes to answer. Ai, privacy and a club. Ai and shuris control of the data, that is referred to the g dpr and based on their requirements as well. I dont want to go to go too much into details, two systems have been worked on with the interplay between the Data Protection authorities and ai that will be responsible for the enforcement of ai. Let me move on because we are about to end. I will ask steve and working with these multilateral initiatives, is there a time that is right to be talking about Something Else . Whether its an institution or a dedicated body that deals with data flows . Is that where the discussion on data for you flows at the g7 might lead to an actual body of institutions . Our discussions that came out of the g7, the u. S. Was very supportive of japans interest in operationalizing the fft and the approach we agreed to take was through an Institutional Arrangement Partnership that we think the oecd would be suited to house. We think this will be some kind of institutionalized partnership. We dont know exactly what that looks like, but it will further the conversation on data flows in a new framework that we want to be a stakeholder. We will see how that develops. And looking at this from the outside, do you see hope in this direction or is this going to be more of a bilateral arrangement, this data flow . What you suggest is very ambitious. There is increasingly conversations between the us and eu that alice have to stick together on data issues and security implications. Some of that is due to the ukraine war. But it is important to work on things together. I am optimistic. Thank you all very much, we have come to the end of our time. I think this was a super panel and we will all be looking next week or very soon for the final announcement about the new us and eu privacy framework but we will also be looking at the evolution of these multilateral data flows and how they intersect with each other as we strive to protect data around the world. Thank you very much for joining an