SOTN2022 03 Hope Springs Eternal? Assessing the State of U.S.-EU Digital Cooperation

8:49AM Mar 3, 2022

Speakers:

Ashley Gold

Sean Heather

Jens-Henrik Jeppesen

Alex Greenstein

Alina Polyakova

Keywords:

eu

privacy shield

europe

companies

ttc

united states

european

contractual clauses

data

policy

russia

question

data flows

talking

privacy

issues

content

brussels

agenda

people

We're gonna start by having the panelists go down and introduce themselves talk a little bit about their work and what it has to do with EU US relations. So let's start with Sean.

Well, good morning. I'm Sean Heather. I'm the Senior Vice President for international regulatory affairs at the US Chamber. I also cover antitrust and have been working for the last 10 or 15 years on US-EU related matters, going way back to the Tech, if you can remember that, which was a Bush - Merkel initiated initiative, and then more recently the T-TIP, and now the TTC.

I'm Jen's Jeppesen, I represent Workday. I'm based in Brussels, Belgium and I look after Workday's policy and corporate affairs activities in the European region. It's a pleasure to be back in Washington, it's been more than two years, and that's a long time for somebody who's been working on transatlantic issues for for many years now. So thanks for the invitation. I appreciate it.

Hello everyone, I'm Alex Greenstein, I'm director of the Privacy Shield program over at the Department of Commerce. I got into this through a little bit of a roundabout way. I worked for 19 years at the State Department on the, most recently, EU issues, and so ended up working on data privacy out in Brussels, and I was director for the European Union over at the White House, and then I was working on the National Economic Council doing tech policy, and then moved over to Commerce, and have been working on this, and we've been working assiduously on our negotiation of an enhanced Privacy Shield framework to restore stability to transatlantic data flows.

And I'm Alina Polyakova, I'm President and CEO of the Center for European Policy Analysis.

Is there an echo on the mic? Okay, we're good.

As an institution, we work a lot on transatlantic issues. Obviously, Russia and Ukraine has been dominating a lot of our work more recently, but in particular, have been working for many years trying to understand how authoritarian states like Russia, China, and others, are trying to use basically Western companies to censor the kind of information that their populations are able to see, something that we call digital authoritarianism and, as part of that, how the transatlantic community should come together and respond. So, a lot of issues around the TTC now, obviously, broader questions about some legislative efforts in Brussels on the DMA and DSA, and how that hurts or helps transatlantic decision making, unity, and tech regulatory policy things.

Thank you. With that, let's start right at the top with what's going on with Privacy Shield. I would love if Alex could give us a briefing of what's going on with negotiations, what we can expect to see in the next couple of months, and what some of the main sticking points are right now.

Sure, thanks for having me, and this is definitely a priority for the Biden administration. It's something that really cuts to the heart of the transatlantic values and the importance of the transatlantic economy, as both the United States and the European Union, and the role it plays in the broader transatlantic relationship. So, a little bit of history lesson, we're dealing with the fallout from the Schrems II decision which was regarding data transfers from Europe to the United States using the standard contractual clauses however, and that's one of the EU Data transfer mechanisms that, because the European Union has a presumption that data should not be able to transferred overseas unless there is equivalent laws in some of the other country that's under the General Data Protection Regulation, their data privacy law, and so the United States and Europe have negotiated a series of sort of agreements on this issue to enable translate data transfers. However, on previous occasions, this has been struck down by the European Court of Justice regarding concerns about US government surveillance, and the availability of the limitations on that, but also the availability of redress for EU persons who are concerned that their data might have been inappropriately accessed.

We negotiated an agreement a few years ago called the Privacy Shield framework that was struck down by the European Court. Now we are in the process of negotiating an enhanced privacy shield that would address the concerns raised by the Court of Justice and the Schrems II case. It's important to know that what we're negotiating is only about national security issues and government access to data. We're not revisiting the commercial elements, the framework which the court didn't have any issues with. It's important to note that this is something that is -- it needs to be dealt with between governments, because this is essentially about national security issues. What we're working to negotiate right now are something that threads the needle between what the European Court of Justice requires under European Human Rights Law, and fundamental rights, and then also sort of what is possible under the US Constitution, and then also what is, I guess I would say, advisable, given the national security commitments the United States has, and our need to protect the United States and our allies.

I think, as we've seen recently, it's a dangerous world out there, and that reinforces the need for robust national security access to data, with appropriate limitations for protection of fundamental rights. That's what we're focused on right now, this has definitely been a little bit of a long haul. We definitely recognize that there has been a lot of instability in data transfers, and the companies are operating in an environment of uncertainty right now, about whether or not it's permissible to transfer data. That's why we and our partners in Europe are working to try to conclude this negotiation as quickly as possible, because we recognize that's having an impact on both US companies, but also European companies who want to be able to use US services, and also, to be honest, do business here and operate their operations and factories and things like that here in the United States.

And can you give us any timelines?

(sighs) It's a question I always get, and I can't really make any predictions, but we're definitely in the homestretch. Hopefully, we'll have good news soon, but I can't make any promises.

Okay, let's move on to Sean for a little bit, and talk about some of the impact on businesses this uncertainty has had. What are you hearing from the business community on what it's like to wait on a new Privacy Shield, and not be sure if your standard contractual clauses will stand up, and how you're sort of feeling in the meantime? More broadly, can you speak to just the EU-US relationship, as the EU continues with new bills about data, AI, the DMA and the DSA, and how the US and the EU can align, when the EU is being so much more aggressive than the US is?

Well, there's a lot there. Obviously, this is the State of the Net conference, you all know, more so than maybe anybody else I speak to, how important the flow of data across borders is. It is the lifeblood of the modern economy, and so it is natural for companies do want to find legal certainty and terms of being able to support those data flows. What is important, and what Ashley said, is that while a lot of the attention is on Privacy Shield, the court decision a year ago last July said that Privacy Shield needed to be struck down, but they put a giant question mark next to standard contractual clauses, and standard contractual clauses are the workhorse of data flows.

Privacy Shield is important, its symbolic. lots of small and medium sized enterprises rely upon it. but when you look at the bulk of the data flowing between the United States and the EU, it flows underneath standard contractual clauses. This giant question mark, I think, has chief privacy officers and general counsels of major companies, both in Europe and the United States, kind of scratching their heads saying, What does this mean? And, effectively for the last 18 plus months, it has not meant that DPAs across Europe have brought judgments. We have not seen decisions coming down invalidating standard contractual clauses, but we do see signs that there are cases, that are in the system, and that those cases that are in the system are increasingly on borrowed time. They are not the kinds of decisions that the DPAs across Europe can continue to push off, they're going to be forced, I think, at some point this year to begin to make some determinations and decisions, and the question is, if standard contractual clauses are an invalid tool to transfer data between the United States and the EU, we have no legal mechanism by which to do so.

So, the pressure is really on Alex, and you and the Biden ministration had made this a priority from day one. It was a seamless transition from the last administration to this. This is issue number one, as far as the Chamber is concerned, in the US-EU relationship, if we can't solve for this, there's no reason to have cooperation in the TTC. The entire TTC agenda, when you look at the 10 working groups, all has components about data and the ability to move data at its heart. So, this is job number one.

I am optimistic. There are signs, for those who are watching this closely, that the EU understands the importance. I'm also optimistic that, sadly, because of the events of the last week or so, that there may be even a greater sense of concern and importance to ensure data flows between the United States and Europe. You would never want to say there's a silver lining to an invasion, but I do think that this has put a renewed emphasis on the importance of transatlantic ties. So, I am optimistic that we might see, and I'm not in the negotiating room, I'm not at the table, but I feel like we have a chance to see something maybe mid spring, late spring, early summer, that would be the window, which I'm watching right now.

Switching gears. You said, the state of transatlantic relations? Most people think about the US-EU relationship, and they talk about the economic relationship. When you do that, in most cases, people think about trade, the US trading partners. But the US-EU relationship is different, it's really a relationship based off investment. It's very unique. We have trillions of dollars of US investment in Europe, there are trillions of dollars of EU investment in the United States. There is no other economic relationship in the world that is built on investment first. It's because of that investment we trade with each other. I think it's still true today that there is more US investment in Ireland than there is US investment in China. That shows you just how significant the relationship is.

Why do I say that? Well, when we've seen past dialogues between the US and EU, I think there has been kind of this sense of hope springing eternal, which I think is today's title for the conference, or at least this session of the conference. My view is this, the US and the EU have been cohabitating, but never got married. We have this deep relationship that we have become comfortable with each other, and when we tried under the T-TIP to formalize that through an actual marriage, folks didn't like that too much. So, we're now back, through the TTC, at a negotiating table. My concern, about the way in which these negotiations are set up, is almost every issue on the TTC agenda, Europe has decidedly put out its markers as to where it wants to go on AI, where it wants to go on competition policy, where it wants to go on data policy, and there's not much to negotiate.

There may be conversations we can have on cooperation vis-a-vis China, on cybersecurity, some of the other agenda items, but on the core regulatory issues that are going to govern data governance and the digital economy, Europe has decided the path they want to pursue, and I don't think it is interested in listening to the United States, or discussing where the United States has views, and unless Europe is going to sit down and have conversations like that, I think the TTC is gonna have a rocky agenda.

We're definitely gonna get back to that, but I want to make sure that Jens here could talk about what Privacy Shield means to companies like Workday, companies of similar sizes, and just the view from Brussels. Why do you think Brussels has such an intention to set these rules for the world, and to take a leading role here, and get these bills passed? And what does it ultimately mean for relations with the US, and whether they can lead together against authoritarian countries?

How much time do I have? (laughs)

A couple of minutes.

A broad question, but beginning with the Privacy Shield and data flows. Workday is a provider of software applications for enterprises across a whole range of different industries, from banking to automotive, manufacturing, energy, etc, etc, pharmaceuticals, we have something like half of the of the Fortune 500 amongst our customers. Many of those companies are European headquartered, so we have more than 725 EU headquartered companies that use our services. These are world leading companies, and they need, just like American companies do, to manage and optimize data flows across borders to run their operations seamlessly across the globe, really. Sometimes the issue has been framed as really focused on social media companies and their use of data. This is really not the case, this cuts across all industries. It cuts across large companies and small companies as well, it's important to note.

Following the Schrems II decision in July 2020, we had European organizations putting out data to demonstrate the impact of Schrems II, and the uncertainty that that has created on European businesses. It cuts across all sectors, and it cuts across all sizes of companies. We see small companies, in particular, have been extremely reliant on the Privacy Shield. They now have to use standard contractual clauses. This is a very difficult process for a small company to manage, and they require a lot of legal assistance to be able to make this work. This is really issue number one for the EU-US relationship at this point. I think, like Sean, we're super excited about the TTC, we think there is an absolute need for Europe and the US to work productively across all of these areas. I think this current geopolitical situation, that we have been learning with for the past number of months, just emphasizes the importance of that. It is really, really essential that Europe and the US try to see eye to eye on as many of these issues as possible, understanding that there will be differences in how countries legislate. EU countries choose -- have, to some extent, some different values that express themselves in different policy choices from the US. That's normal. But, you do have to ensure that there's as much cooperation and alignment as at all possible.

To your question about, why does Europe move ahead so aggressively with legislation and policy in this space? Taking European politicians at their own word, they sometimes frame it this way, they say, in this global technology industry. that is technology services and products that are integrated, not only in the way we work, but in our private lives, education, healthcare, etc, etc, that they choose a road where they've taken a proactive approach to regulating, rather than seeing a more market led development, where technologies evolve and get deployed, and then you try to deal with issues as they come up. This is, I would say, a deliberate choice of European politicians, that has advantages and disadvantages. But that's, at a very high level, how the situation.

Thank you. And that brings us to Dr. Polyakova, I'm so happy to have you here today. There seems to be a lot of agreement on this panel that having an EU-US relationship over data flows, and anything on the Internet, digital, is important for the geopolitical sphere. As we've seen the past couple of days, the Internet is very involved in what's going on right now. We have both Russia and Ukraine making demands of American Internet companies to either invalidate accounts or to de-monetize accounts. Do you, in your view, think it is important for the EU and US to be aligned on all these issues, to be able to deal with the greater geopolitical problem? Or, is there room for some divergence between the two countries?

Well, thank you so much for your question, Ashley. I love going last, because I have an opportunity to respond to what everyone else has already said. I actually just wanted to pick up on where Jens left off, on my we have seen a real divergence in the approach between, certainly in Brussels and Washington, when it comes to the tech regulatory agenda more broadly. I think, of course, Privacy Shield is very much at the center of it. I couldn't agree more that, unless we have agreement on Privacy Shield, then what is the point in the TTC, really? Because how are we going to make any forward momentum there, if we don't have the basic agreements on data flows. The TTC is set to meet sometime in May, mid May, now in Paris. It's been very unclear what the accomplishments have been, and where the agenda is actually heading.

What I've noticed over the last several years working on these issues is just a very different lens for understanding the geopolitics of technology in Brussels and Washington. In the European perspective, a lot of that focuses on individual data protection and privacy, in the United States the lens is much more about national security. It's very difficult, when I go to Brussels or other European countries, to make the point that this is about national security, and that we have to prioritize that. What's happening today, certainly, with the renewed Russian war in Ukraine, lends just much more credibility to that perspective, that number one priority, while data protection individualized is deeply important, but not when it goes against our broader transatlantic security.

It's been very concerning to see what has been a freight train of a regulatory agenda coming from Brussels, which, by the way, doesn't fully represent the views of the European member states themselves. There's actually quite a bit of divergence, certainly, with some central Eastern European countries, the Baltic states, and elsewhere, from what has become a very French and German driven agenda on the tech regulatory side. There's a tendency to see things like the DMA and the DSA, and the AI act and all these things we see coming out from Brussels, as representative of the European perspective, but, in reality, it's not necessarily. There are a lot of smaller companies that aren't being classified as gatekeepers, medium-sized companies in places like Scandinavia, they have a very active tech market, have some concerns, that they don't want to clamp down on US companies just to be replaced by French companies.

There's a lot of divergence on how the European laws that we're going to see enacted in the next several weeks here, most likely, are going to affect the European ability to compete. The big question for Europe, and this goes back to, again, about why has Europe taking this leadership role on the tech regulatory agenda, even though most of the companies really talking about are not European companies. I think the reason for that is because there's a real fear of being left behind. Obviously, the US still leads on technology innovation, and China is actively aggressively competing there, so what is really Europe's role?

European policymakers have carved out regulation -- sometimes, unfortunately, in the service of regulation versus the service of innovation -- as their leadership in the world, part of their leadership portfolio. This is where Europe sees its ability to have impact in the world, through norms, international standards, etc, but I agree that it's probably a little too early for that, because some of this technology is still very nascent. I think now that we look back, look at what's been happening in Russia, and China's also part of this dynamic, but to zoom in on Russia a little bit, deeply concerning developments about how the the Russian government has been using and abusing western tech platforms in the service of digital censorship, in the service of digital authoritarianism.

Just over the last several days, we've really seen a combination, or what has actually has been a years long effort by the Kremlin, to force companies to comply with increasingly draconian local laws, the so called new landing law, as it's called, that is affecting basically all companies, social media, broader tech companies, platforms that are operating in Russia, and de facto making them much more vulnerable to things like detaining, arresting employees of these firms if they don't comply with these draconian laws. They're demanding the takedown of content that is truthful content, which, of course, companies have been resisting for a long time, and it's important to know, paying a lot of fines. But you know, at some point, I think they come to a question of, do we want YouTube in Russia still, and of course, YouTube, for example, has been the only reason why Russian opposition voices or independent voices have had any avenue for expression in a deeply state controlled environment, or do these companies just pull out, and basically cede this information environment completely to the authoritarian state? I think it's a really difficult situation that firms find themselves in. It really should be the prerogative of the US government and European leaders to stand up for democratic values of free expression, and to support and push back on some of these very aggressive authoritarian tactics that we see deployed, but right now, the companies are kind of left in the lurch a little bit to figure out for themselves.

Yeah, absolutely. It sort of brings me back to this idea that abroad, the Biden administration, similar to the Trump administration, they're in the position of defending their own tech companies to foreign governments that wish to tax them, or put regulations that seem to be focused just on the biggest US companies, but at home, they want to regulate them themselves. Maybe you could speak a little bit to this tension, that the US government seems to defend our companies abroad, but at home there's a pretty robust competition agenda going on, and a desire to have more content moderation and more privacy, not saying we've passed many laws, but there are many efforts. Can you speak to that tension?

Sure, there are three things you raised there. One is this competition policy question, which is more akin to the DMA, you have a conversation there about federal privacy law, and then you have a conversation about content moderation, which, for the most part in the US, is a debate about 230. In the competition lane and the pure competition lane, I don't see the Biden administration fundamentally having a different position abroad, from what they have at home. The administration has made it clear that they do not support the DMA, as drafted, they've made it clear to the Europeans that there's a variety of things that need to change. At home, the domestic legislation that is most furthest advanced in the Senate, the administration has not put out a statement of administrative support for that. In fact, you see large amounts of folks on the Democrat side of the aisle who have deep concerns with the way in which that is drafted, which is very similar to the DMA.

Where I think you have tension in the administration is, what should regulation look like in this space? There, I don't know that they have an answer, they know what they don't like, but I'm not sure they know what they do like. So, when they put their opposition out there to Europe on the DMA, when they had withheld their full support for what's happening here at home, I think that's entirely consistent. What one should do about platform regulation is where I think the administration is still trying to figure out what makes sense, what would look like good regulatory practices, how much of this should happen as a matter of antitrust law versus regulation? In the United States, we're trying to do it as an amendment to our antitrust laws. In Europe, they've decided not to amend their antitrust laws and do it as a matter of regulation. These kinds of questions, I think, are very much still unanswered with the Biden ministration.

When you move to the privacy space, obviously, as Alex said, the debate among US- EU is not about whether or not we have adequate protections for privacy in the United States from a commercial standpoint, the Europeans accept it, but we in the business community don't want 50 state-based regulations, we want to see a federal privacy solution, the Chamber is very much in favor of that. I think the administration is very much in favor of that. I think the details are oftentimes associated with how you construct things like private rights of action, and what happens when it comes to to a violation. All of that will take some time to sort out, but I think there is a common agenda there. Certainly, I think Europeans would welcome a federal privacy law. There's lots of European investment, as I said, in the United States, they don't want to have 50 state privacy frameworks by which to address.

In the third area, which is this content moderation debate. This is the one where I think it's the toughest to figure out what is a legislative or regulatory path forward. Obviously, you have clear requirements under our constitution for free speech, but we also know that you can't yell fire in a crowded theater. What is the online version of that has yet to be figured out -- whether that is figured out over time as a matter of common law, or courts, or whether that's figured out by the United States Congress. We're a long way from having that answer, but the urgency is clear. It's not only being sorted out in Europe through their efforts with what they call their DSA, but I see dozens of countries around the world who are putting content moderation frameworks in place. Many of those are within authoritarian governments who are dictating terms, what is legal content versus illegal content. When you look at these regimes, it's very unclear. Companies are left to try to decide for themselves how to interpret the law, and then the ways in which they must comply in many cases are completely unreasonable and outright crazy. So, that space is the one that, both from a policy standpoint as well as from civil society and the business community, is where I think there is the most room to figure out what the path forward is.

Again, on the competition piece, I think the administration is clear on their opposition to both approaches, but they're not clear on is what the right approach should be.

Does anybody else have anything to add?

Yeah, if I could just chime in there, specifically on the content piece, because I've been working on issues around your counter disinformation efforts for too many years, I'd like to admit. One of the things that we have to really pay close attention to is the precedent setting nature, which I think Sean was just alluding to, some of the legislation that we see emerging, talking about online harms and not really defining what that means, talking about illegal content. Basically, some of the European proposals have been copied and pasted by countries like Russia into their own law, and now the very same language is being used to repress and oppress independent voices saying that this extremist content is illegal content, that there's online harms in certain content, which is of course, truthful content. So, it's being used in the service of censorship and repression, rather than what they're supposed to be used as.

This is where we also hit this real problem -- we haven't talked about this yet -- around concepts like digital sovereignty as well. This is the same concept that the Beijing uses to talk about their desire to control the online space. This concept has also become pervasive in the European debate. And so, I think my question is, where did the values come in here? If the United States and Europe are divided on the tech agenda front, then we'll be divided on the values front. I think we need to start really pushing our governments to not leave companies just out there fighting the large authoritarian states on their own. It's long overdue. Frankly, I think the current situation is just so deeply disturbing .Hopefully, I think there's a silver lining, hopefully the unity we're seeing right now between Europe and the United States in the response to Russia will be channeled into greater cooperation on this particular agenda as well.

Did you have something to add, Alex?

Yeah. that is a very good point. Having observed EU-US discussions purely on privacy, but also on tech policy more broadly, One of the things is that there can be a little bit of an excessive focus on, I would say, the instrumentalities of how to implement policy, and the differences that we have there. That can sometimes obscure the fundamental sameness of our values. That's something that really both sides could stand to work through, is looking more at how we implement our policies and practice, and how that reflects our fundamental values.

The example I'm thinking of here is in terms of privacy, certainly we have different approaches to it, but from the United States standpoint, we argue that it's not a decision between privacy and security, you can have both of those things, but you just need to have the right policies and approaches in place. We're trying to dig into that.

One of the things is -- it's gets less attention than Privacy Shield, but -- there are discussions now at the Organization for Economic Cooperation and Development about what are the appropriate safeguards and limitations on government access to data? Really, this is bringing together practitioners from the national security communities in Europe and the United States, along with people who are responsible for fundamental rights, and looking really deeply into what are the best practices around sort of government surveillance, and we're finding there's a lot of commonalities there. Certainly, we have different legal systems in Europe and the United States, but when it comes down to it, the values that underpin them are quite similar, and you find a lot of best practices. That does give me some hope for this moving forward, that we have sort of more in common than we have different, and then also the current crisisdoes focus minds on that a little bit. That's my two cents.

Yeah, thanks Alex, that makes a lot of sense. I recall, Ambassador Bill Kennard saying in meetings that, with the EU and the US, it was the narcissism of small differences. I think it's a pretty apt observation, given that the policy issues that are being debated and the values that underpin them are so similar, whilst the institutional setup and the political dynamics are different. You mentioned the Franco-German locomotive is back on track, the French-German locomotive of European integration. After Brexit there's a big UK shaped hole in the Union, where there was a push or pull towards open trade, restrained intervention in markets and so on, and so we really see that now.

The digital sovereignty concept that you mentioned, President Macron likes to talk about strategic autonomy. We currently have the French presidency of the of the Union, and this has been an incredibly strong narrative that runs across all kinds of policy areas. Just one quick example, there are cybersecurity standards being developed for the entire EU. That's entirely sensible to have that cybersecurity framework for a cloud services across the EU to replace national standards. Brilliant idea. But what the French have tried to do is to introduce what they called sovereignty requirements, so that certain parts of the cloud services market can only be serviced by European companies, with maximum percentage of foreign ownership, with no involvement of non-EU staff, with strict data localization requirements in place. So, we're seeing this political narrative now really being reflected in different policies across across the sphere, and in a way that is probably actually actively harmful to what the cybersecurity framework seeks to put in place, because what you do not want is to have it such that European organizations, public sector organizations, or companies, cannot use the best possible cybersecurity technologies in the market. So, there's a lot of work for us to do on this.

If you look at the way things are going, it seems though data sovereignty and this balkanization of the Internet is happening all over the world in Russia, China, India, US, Europe, how do we sort of come together and have a free and open Internet again, where every country doesn't have different rules, and the Internet doesn't look a little different depending on where you are? Is there a coming back to that? Or have we gone too far?

I can start us off there, if you don't mind Ashley. We don't have free and open Internet on a global level anymore, and we just don't live in that reality. I mean, go to China, go to Russia, go to Myanmar, obviously. At this point, we are in a position, unfortunately, having to defend the free and open democratic online space. This is exactly where the squabbles over details are deeply unproductive, and go against the broader strategic agenda of making sure we're all on the same place. Because we have to defend that space, we have to defend the ability of people to have access to truthful information, a variety of sources. Companies big and small play a deep and huge role in that. My concern about things like sovereignty, and conversations, especially on cloud services and other issues, are deeply concerning, because it's just reinforcing the splinternet model in a different sector. We have to really shift lenses, because if we keep moving in this direction, we're just going to reinforce the authoritarian vision of the online world, and it's not the vision, I think, that many of us here share, or that many individuals would like to be a part of, frankly. That's the big issue today, whether we can move away from -- the EU wants to lead on regulation, and we can put innovation on the backbench there, where we are on competition policy, etc, etc, -- we do align on the bigger, broader principles. We have to come back and compromise, and a lot of that compromise has to happen in Brussels, because they have been so much further along on setting out their demands and their agenda, and the US has been lagging behind there, and hasn't been as engaged in some of these issues until the current administration. So, there's a lot of work we have to do.

I don't want to, you know, raise the alarm bells too much, but we're in a really bad place right now. We have to move really, really quickly to ensure that what we still have, that we're going to have for future generations.

I'll just build off of what you were talking about. I think the one area where we risk atomization or fragmentation is artificial intelligence. The EU has moved forward with legislation last year, a very broad and ambitious piece of legislation, it's early stages yet, yet it has a number of very sensible components that I think will find a receptive audience on the US side. However, it is not clear that it will hit the right balance between the dual objectives, which are to create an ecosystem of excellence and innovation, as well as an ecosystem of trust, and a vibrant market for trustworthy AI applications.

Talking about -- back to the TTC, we would very much encourage the US government to be as engaged as possible, and as forward leaning as possible, in terms of dialogue with EU policymakers in this space. The regulation is going to set out technical standards for compliance, the worst outcome would be if we have a set of standards coming out of Europe that are then not compatible with what NIST, for example, has been working on here, something that Workday has really supported. So, if we can use the TTC to facilitate alignment and interoperability, and these two pieces docking together nicely, I think that would would be the best outcome for all of us.

Yeah, I think you really put your finger on it, in terms of the word that I always focus on, interoperability. We don't have to have all the same laws and approaches on the Internet, but we do need to ensure that they work nicely together, and that there are ways to build bridges. That's essentially what Privacy Shield was about, you had an EU law that functioned differently than US laws, but you had enough US law in that space that you could make an argument that, if you add some things to it, it is essentially equivalent. That's kind of the spirit that we're looking at, is finding ways to work together, and that also gets to the issue of trust, and trusting that, yes, other systems may look somewhat different but, since we operate on the same values, that we can accept that that will probably get you to the right place.

If the question was, where are we headed? I think the answer is, we are not. We are in a state of fragmentation, the question is how much more fragmented we become. If you listen to part of the last session with Congressman McCaul, he talked about essentially decoupling with China when it comes to technology, the importance of export controls, the importance of not allowing tech transfer for national security concerns. If Europe decides to take a maximalist approach in terms of divergence with the United States, on DMA, on DSA, on AI, on the cloud -- we haven't even talked about the Data Act, which just was put out last week, which is entirely an effort to say, look, we're going to redefine what the definition of data ownership means, what it means for B2B business relationships for data, we're going to compel the sharing of data, which is a property right, fundamentally. If Europe decides to go down completely divergent paths from the United States, we are talking about a decoupling between the United States and the EU on digital economy policy.

When I heard you lay out the cloud stuff, I said to myself, are we talking about France and Europe, or are we talking about China? The idea that you're only going to have a certain amount of local content, you're going to only allow certain amount of foreign direct ownership into a space, these are the tools China has used, that have caused the challenges we have today in the US-China trade relationship. And so, to the degree to which Europe is headed down that same path, we will end up in a position of decoupling. That's going to be very difficult when you look at, again, where I started, our relationship has been built on investment, we have invested deeply in each other's markets. That investment is something that American businesses are interested to continue to make additional investments in, and European businesses are interested in making additional investments here in the United States. So, we need to figure out how to get around the table at the TTC and work on these issues, but we do have some serious challenges, given where Europe has decided to set out its agenda, and where we stand today in these conversations in the United States.

Since we have Dr. Polyakova here, and there's so much going on with the Russian invasion of Ukraine, I just want to ask you, what has been sort of the most striking thing to you, in the past week or so, that you've seen online having to do with the social media companies, Russia, Ukraine, and the attempts at censorship and even just a lot of the misinformation we're seeing? Has anything been particularly shocking to you or different?

Well, it depends what the relative starting point is for shock, right? I think we're in a much better place than we were, for example, in 2014 when Russia invaded Crimea and eastern Ukraine, which is when I started working in disinformation issues, where the Russian narratives were really propagating into Western media, and they were being spread very widely on social media. Then we saw her own ability to really grasp the importance of that, then, of course, came to us here in the United States in 2016, and then elsewhere.

I've seen how companies have actually learned a huge deal over the last eight years, and have been quite active in removing content, fact checking content, and this has really been a thorn in the Kremlin side. One of the big conflicts that we've seen emerge in the last week was our fact checking, and Meta's policy effect of fact checking content, labeling content, and the Russian government demanded they stop doing this, or they're going to basically start limiting access to their platforms in Russia. They have been doing that, and then only partially complying with this. Again, I think companies have been trying to push back. One interesting development has also been the European Union now banning Russian state sponsored media outlets, like RT, Sputnik, and others. My understanding is that the companies are following the EU now, I guess, proposed law on this, and that's been a really positive development.

The big question is, there are companies like TikTok, where are they going to go? Platforms that are operating in these authoritarian states, but are not necessarily as concerned about issues around false misleading information? I think we have to ask ourselves, do we want our children to be using Facebook or Instagram or TikTok, when we're talking about control of false information? It's been a much better situation, I think governments have, especially the US government has, been very effective on the broader information messaging side. Certainly Ukrainian, certainly people in Central Eastern Europe, are much, much more aware of disinformation, and have a much more critical lens on it. To be fair, or to be honest I should say, it's been really depressing to watch, as well, how deeply penetrating the Russian state propaganda has been in Russian society, which, again, is why go back to the point of, we have to fight to maintain freedom of access of information in these authoritarian states while we can, because that window is closing. The majority of Russians, despite the very brave and courageous Russians who have been protesting the war, and getting arrested and thrown in, and beat up and all these things last, last several days, that's still a minority. The reason for that is because most people are buying the state narrative, and why? Because they don't have access to other information, they're watching state sponsored media, because that is the mainstream media, and that is the dominant information source for many Russians. We see what that leads to.

It's a better situation that companies have learned. Unfortunately, I don't think governments have learned as much, because we still don't have just a basic regulatory framework that will give companies some guidance on what they should or should not be doing. I'm not talking about things that we were talking about earlier, but just some basic guidance. Now we have companies doing all kinds of different things, as they have been for many, many years, and it's also creating a lot of loopholes. Twitter may be able to remove something, but Facebook is not, and etc, it goes on like that. That is really limiting our ability to counter disinformation and false narrative on the online space, but I do think things are better than they used to be.

Yeah, just last night, Meta announced that they took down a coordinated and authentic activity attempt, but it reached far fewer people than it -- maybe even, whatever, a couple years ago -- nothing like what we saw in 2016 with the US election, it was a much smaller impact. A lot of what me and my colleagues have been seeing in the past couple of days is, it's not so much the sophisticated online disinformation campaigns, it's just regular people going online and retweeting something that isn't from the current conflict, or was a picture taken out of context, or just something that was totally unrelated, but you got a bunch of people rallying in support of Ukraine to retweet it. We see a lot of confusion there, too. So, the companies are in a tough position, you'd like to see the support for Ukraine, and all of the retweets and the interactions we're seeing, but even some of this positive content or pro-democracy content is not accurate. So, there's a lot to unpack there. I just want to make sure before we wrap up, if anybody had anything else to add broadly about Privacy Shield, anything we missed. And you said in a week, right?

Next week, it's done. Yeah.

(laughs)

Totally.

Did you want to add anything?

Well, I think it's just worth pointing out that this is a very concrete concern, the Privacy Shield, but behind that sits this whole other dimension of EU-US issues in the technology space, and looking at the geopolitical situation that we're in right now, this ought to focus the mind in terms of forging, really productive cooperation, on this in the very short term, and on the other issues going forward. That should be something to strive for.

I know that's definitely our hope. I can say that, in these negotiations, we have really strong partners in the European Commission. We have worked with them on these issues for a long time, and I can say definitely, over the years, we have developed a shared language, and they've developed a deeper understanding of our approaches on surveillance policy, and there's definitely a mutual understanding and a lot of goodwill there. I think that's only growing, and so that makes me optimistic.

Well, on that optimistic note, we will wrap up today's panel, and thank you guys very much for joining us.