Podcasts
Caveat
Ep 187
Caveat 9.14.23
Ep 187 | 9.14.23

Europe leading the way on data privacy and data sharing.

Show Notes
Transcript

[ Music ]

Rachael Ormiston: As we know, in order to transfer data from the EU to a country outside the EU, you have to be able to comply with European data protection requirements to show that data is going to be protected at a level at least equivalent to those in Europe.

Dave Bittner: Hello, everyone. And welcome to "Caveat" the CyberWire's privacy, surveillance, law, and policy podcast. I'm Dave Bittner and joining me is my co-host Ben Yelin from the University of Maryland, Center for Health and Homeland Security. Hey, Ben.

Ben Yelin: Hello, Dave.

Dave Bittner: Today Ben discusses an Appeals Court decision mostly reversing a District Court order that barred communication between federal officials and social media companies. I've got the story of policymakers putting the intelligence community on notice when it comes to warrantless wiretapping. And later in the show, Ben's conversation with Rachael Ormiston of Osano. They're discussing the US and EU's data privacy framework. While this show covers legal topics and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney. All right, Ben, before we jump into our stories here, we've got just a little nugget of quick follow-up here. A listener named Crispen wrote in about our conversation about DNS routing and restrictions and all that kind of stuff that we talked about recently. Crispen says, "Please keep in mind that DNS is not routing. The distinction is significant because if you know the IP address of the server's Sony, for example, wants Quad9 to block, you can still get there." They say, "Following your analogy, this would be like the court ordering the maps app to remove a listing. You can still visit the shop if you know how to get there." That's a nice little nuance there.

Ben Yelin: Yes, much appreciating the clarification. As you know, I am no technical expert. That's why we have loyal listeners who can correct us when we say things that are patently false even if unintentional. So, thank you to Crispen for writing in.

Dave Bittner: Yeah, absolutely. All right. Let's do some stories here, Ben. Do you want to start things off first?

Ben Yelin: Yes, so my story comes from Ars Technica and it is about a decision with the Fifth Circuit Court of Appeals, which is in the southern portion of the United States. And this decision partially overturns a District Court decision that we discussed I believe a couple of months ago. So, in that District Court decision, a judge held that the United States unduly coerced many social media companies, including X, Meta, etc., into taking down content. And they barred communications between a whole bunch of federal agencies and these companies. So, it was a very, very broad ruling that basically said for the purpose of the First Amendment, the government was involved here by threatening or coercing these companies to take down content. That was an inhibition on the free speech of the people who were challenging this activity, and that included a couple of US states plus various doctors, individuals who had their content taken down, mostly through kind of the era of COVID-19 misinformation when people were posting false information on COVID vaccines, etc. So, the Fifth Circuit Court of Appeals, the very conservative circuit as we've talked about, it was a panel of three very conservative judges, one appointed by President Trump, two appointed by President George H. W. Bush. So, we're really going back in time here. And they mostly reversed the holding of the District Court saying that it was too broad. You can't have this blanket ban on all different types of communications between whether it's NIH or the CDC or members of the Biden administration itself, the Biden White House. You can't fully restrict their communications with these social media companies, that would be unduly restrictive of their First Amendment rights. So, the way the District Court decision was written, you could bar something like the Surgeon General asking X, formerly known as Twitter, to put something on advertisements that advocate for cigarette smoking. It would prevent the Surgeon General from communicating to Twitter that that content should be either taken down or revised or flagged, "The Surgeon General's warning about the dangers of cigarette smoke." So, it was just too overbroad.

Dave Bittner: Barring all communications basically. You can't even talk to each other.

Ben Yelin: Yeah, I mean, it was basically a full-on gag order. And what the Circuit Court here is saying is you can't have a blanket full-on gag order when most of the activity that's being discussed here is fully legal. There is no coercion in the vast majority of these conversations. Mostly it's just normal communication between government entities and these social media companies. It's a healthy back-and-forth, they're communicating about policy, there's nothing coercive about that content. However, the Fifth Circuit did uphold one prohibition that was part of the District Court opinion and that was a provision that barred federal officials from "threatening, pressuring, or coercing social media companies in any manner to remove, delete, suppress, or reduce posted content of postings containing protected free speech." So, to put that legalese in something a little bit more understandable. Any type of contact between any of the agencies mentioned here and the social media companies that this court would consider coercion where there isn't a meaningful choice on the part of these social media companies, they have to take down the content because they're facing some type of threat, that is still legal under this circuit court opinion. So, the circuit court is acknowledging they are agreeing with the District Court judge that says that agencies and the United States government made explicit and implicit threats against these companies and that that wasn't an inhibition of the First Amendment rights of people who produced content on these sites. So, it is a narrower opinion that only applies to these types of coercive conversations. I still have a problem with it. And you might have guessed that. If you look at some of the factual allegations that are contained in both this District Court case and the Circuit Court case, I have a hard time seeing these as explicit or implicit threats. More it's kind of federal officials browbeating these companies and trying to guilt-trip them into taking down content by saying things like, "This is extremely unhealthy. Unhealthy. This is having a measurable impact on vaccine uptake." They're expressing concern about how certain false content is being promoted. You have President Biden himself saying that the actions of these social media companies might be responsible for various deaths as a result of the content being posted here. All that might be mean and might hurt the feelings of these social media companies, but it falls short of coercion. And it doesn't seem to me like these are the types of explicit threats. Now, there might have been implicit threats. To me, the factual record doesn't contain enough evidence of these implicit threats. It would have to be something like, "If you don't take down this particular post, then we will take some type of punitive action." There is very little that a presidential administration can do in that respect.

Dave Bittner: We're going to audit your taxes.

Ben Yelin: Right. There is the auditing your taxes. There's, the "well, we're going to remove your Section 230 protection." They can't do that unilaterally. That would require the cooperation of Congress. And there wasn't any other threat like, you know, we're going to send government agents into Silicon Valley and raid your offices and make your lives miserable. That wasn't, to me, expressed or implied in any of the material that went into the case here. What the judges seem to be doing here is making some type of inference that there were these types of communications. The language was arguably strong, arguably coercive. And as evidence that that coercion worked, they say that the social media sites did end up taking down a lot of this information. And there is some truth to that. I mean, if you think that social media sites have been a little too trigger happy on taking down content, you can certainly see why this is dangerous that there is a relationship here between government agencies and the companies, it's unfair to users of a particular ideology where people are expressing unpopular viewpoints. I think that's fine. But to me, for it to be a First Amendment violation, there has to be some type of government action, again, Twitter or X or whomever can ban whatever tweets they want, they're a private company. The First Amendment only applies when there's some type of government action. The court here is arguing that that action is coercion and I'm just not seeing it, I'm not seeing the expressed coercion in the facts of this case.

Dave Bittner: Now, to be fair here, and as you kind of alluded to, this was highly political, right?

Ben Yelin: It's extremely political. Yeah. So, there's a political undertone here. There have been arguments on behalf of political conservatives in this country that their viewpoints are being suppressed. One of the reasons that Elon Musk purchased the artist previously known as Twitter was because he thought they were taking down content that was unfriendly to conservatives, including things like information on vaccination, other types of COVID-19 things, masks, etc. And this isn't just a Twitter/X problem, I think it's very applicable to other social media sites as well. And this has become central to a Republican argument that they're facing, not just the hostile mainstream press but a big tech oligarchy that's stopping them from posting their preferred content. Now, the irony of that is now they through Elon Musk control one of the big social media companies, the one that really drives news cycles. But at least in the pre-Elon era, I think there was certainly something legitimate to that. You can see why this became such a political complaint. But there are political complaints and then there's the legal issue about whether this is an inhibition on First Amendment rights. Twitter/X, Meta/Facebook, whatever you want to call these companies, they have no legal obligation to keep content on their sites. They can take down whichever content they want. They are protected by Section 230 from liability based on those moderation decisions. The First Amendment comes into play if the government gets involved and for that to be the case, you really have to have proof of the government doing more than saying, "Well, how about we review your Section 230 protection?" That is sort of an implicit threat, but their ability to follow through on that threat, plus their question about whether it was actually a quid pro quo, is it take down this content or we are going to review your Section 230 liability? It's hard to make that connection. There are members of both political parties that want to remove Section 230 liability anyway. I just don't think that connection was properly alleged here. The judges of the Fifth Circuit disagreed even though this was a narrower opinion than the District Court judge, they certainly are siding with conservatives in the argument that the social media companies were coerced by government entities to take down content. In that sense, they kind of have won a minor political battle here.

Dave Bittner: Where does the First Amendment stand or conflict when we are in the midst of something like a public health emergency?

Ben Yelin: Well, I mean, I am wary of using emergency powers to cut against people's constitutional rights. There was a big uproar this week about the Governor of New Mexico who instituted an emergency 30-day ban on concealed-carry weapons. Even if you are supportive of gun control, and I think both of us are, invoking that emergency power because there's been a spate of gun violence in New Mexico to basically undo a constitutional right, whether you believe it an individual right or not, the Supreme Court has recognized it as one, so to basically suspend that right for law-abiding citizens for 30 days with the use of that emergency power, that's a big story. That's something that I think should scare us all because you could really go down a slippery slope with the use of these emergency powers. So, just because there is a public health emergency, I don't think that necessarily cuts against First Amendment rights. I know we're going to get the fire in the crowded theatre thing.

Dave Bittner: You can always count on it.

Ben Yelin: That is from the decision in 1918 that was later discredited because it was a decision curtailing the First Amendment rights of protesters for the First World War. And obviously, that was an emergency as well. So, I think you can institute reasonable restrictions but I don't think there is a get-out-of-jail-free card to restrict the First Amendment just because we're in a public health emergency. And, you know, a public health emergency if it's very acute is one thing but COVID's been going on a while now, I mean we're in year three of this. If we justify restrictions on the First Amendment through the COVID emergency, how long does it last? Did it last through the emergency declaration expiring, which was May of this year? Does it last until nobody is dying every day of COVID? I mean, it's hard to have a leveling principle on that. So, I think just kind of saying that this is a public health emergency, I don't think changes the legal landscape that much.

Dave Bittner: Who gets to decide whether the government has gone too far with their communications with the social media companies now? Do observers from the sidelines get to throw rocks at the situation or --?

Ben Yelin: I mean, yeah, judges. Judges and, you know, there are going to be attorneys general who see this decision and some federal agency is going to take an action that they deem to be coercive. There's going to be some public speech where Joe Biden says, "I want Meta/Facebook to take down vaccine misinformation." And they will say, "Hey, this Fifth Circuit decision said that you can't have that type of coercive communication." They'll go back to the District Court and they'll try and institute an injunction or enforce the injunction that already exists. So, this is something that's going to be enforced against members of the federal government, federal agencies, you know, the enforcement mechanism is a little bit unclear. They're not going to be arrested or anything. But I just think they are going to be legally prevented from engaging in this type of conduct. And the remedy is that the social media companies will be required to put this information back online if it was unduly coerced by the federal government.

Dave Bittner: Can I ask a constitutionality 101 question?

Ben Yelin: Sure.

Dave Bittner: So, you mentioned that the government has First Amendment rights as well. Is that -- so explain that being the case to me. Because my understanding is that, you know, the First Amendment is to protect us from the government restricting our speech. How does the First Amendment outline the government's right to free speech?

Ben Yelin: I mean, it's all not always cut and dry. But generally, Congress shall make no law abridging the freedom of speech. That is a right that applies to the people. Members of the federal government are people, as hard as it might be to believe. When you're talking about a decision like this, it's not just restricting the actions of the President of the United States as a constitutional officer, it's restricting the rights of bureaucrats in the NIH to communicate with these social media companies. And just because they happen to work for a government agency doesn't mean that you can just restrict their ability to have conversations or to express their opinions to social media companies. They still retain constitutional rights just because they happen to work for the federal government. So, it's a right against the government but our court system is also the government. And if the court system were to restrict free speech rights on behalf of government employees, that's still an inhibition on the First Amendment, for sure.

Dave Bittner: Okay. All right. Good. Thank you. All right. Well, we will have a link to that story in the show notes. My story this week comes from Wired. This is an article written by Del Cameron. It's titled Top US Spies Meet with Privacy Experts Over Surveillance Crown Jewel. That sounds like the description of a juicy novel.

Ben Yelin: The worst Indiana Jones movie ever, you know.

Dave Bittner: Right. Indiana Jones and the Hunt for the Surveillance Crown Jewel. So, this is about a meeting that was held recently. It was held at a place called the Liberty Crossing Intelligence Campus, which I have to say, again, sounds like something --

Ben Yelin: Yeah, the irony is rich.

Dave Bittner: Just sounds like -- I mean, you can't --

Ben Yelin: You couldn't script that any better, you know.

Dave Bittner: You wouldn't believe -- if I put that in my novel or my movie, people wouldn't believe it. But there it is. And it's actually not that far from here, it's down in Northern Virginia. And basically, this was an opportunity for advocates who are troubled by Section 702 of FISA having a conversation with folks in the security world, the intelligence world saying to them that unless we get some reassurances of how you are or are not going to use Section 702, chances are we're not going to renew it. And it's up for renewal at the end of this year. I'm curious what you make of this, Ben.

Ben Yelin: Oh, to have been a fly on the wall at this meeting. It's really interesting. I'm actually impressed that these very prominent civil liberties groups took this action to have a constructive conversation with members of the intelligence community. I think they were grateful that the intelligence apparatus took this meeting. I think they were disappointed that the IC didn't really express any sort of opinion or communication, they were really more in listening mode. So, I think they were unsatisfied that there's going to be any sort of favorable resolution here. But civil liberties groups have leverage. Like you said, this program expires at the end of this calendar year. There are members of both political parties who are firmly against these types of warrantless searches that exist under the Section 702 program. Members of the Democratic Party going back a decade have thought that this is an abuse of the surveillance state, that it allows for backdoor searches so-called incidental searches. Certainly in the last five years, there's been a lot of Republican skepticism about FISA, FISA overreach, spying on political opponents, etc. So, there is just a lot of inherent skepticism in Congress. I, if I were prognosticating, I don't think you can get what the Biden administration is asking for which is a clean extension of Section 702.

Dave Bittner: What does that mean?

Ben Yelin: A clean extension would mean an extension for up to five years with no policy changes to the program. That's what the Biden administration is requesting. I understand why they're requesting it. The Trump administration requested something similar. There's a reason they call this the crown jewel of our surveillance apparatus. It is a post-9/11 tool that we have. So, it's still used to fight terrorism but it's no longer used exclusively to fight terrorism, it's used to address cyber threats, narcotics. It's something that our intelligence agencies really value in terms of getting key intelligence information to protect the American people from a whole lot of different threats. So, you can understand why there's this urge to get it reauthorized but I just don't think it's going to happen without significant reforms. The big reform that civil liberties groups have been pushing for would be to require warrants for any search of Section 702 data in the Section 702 database. Right now searches -- or warrants are only required under a very limited number of circumstances. And if you happen to be communicating with an overseas target of surveillance under Section 702, your communications will be collected incidentally. They'll go into a database which is searchable and you could be arrested and prosecuted based on that warrantless search. So, I'm glad the conversation is taking place. I think that's going to be a very contentious fight in both houses of Congress. I'm actually teaching a course on this at the law school where I teach and we're doing a simulation on the United States Senate reauthorizing Section 702.

Dave Bittner: Interesting.

Ben Yelin: So, all my students get to propose amendments and we'll see where they land. So, maybe I'll have a better hit for you once I see how this works among smart law students.

Dave Bittner: Yeah, I'm curious to see what kind of things they come up with. You know, I was thinking through this and one of the lines of reasoning that I had was, you know, the FBI did just fine with law enforcement before 9/11, before they had --

Ben Yelin: Did they though?

Dave Bittner: Well, I'm getting there. Okay. That's where I'm coming.

Ben Yelin: All right. All right.

Dave Bittner: But things are different in that so much of what we do is online now, so much of the communications happen electronically. To what degree does that change the equation of the FBI's needs for collecting information?

Ben Yelin: I mean, I think the needs are very acute. We saw in the 9/11 Commission Report that there wasn't proper communication between our intelligence community and law enforcement. A lot of information got lost in that shuffle and that was according to the commission one of the reasons for our intelligence failures prior to 9/11. The impetus for Section 702 is the fact that most of these big tech companies are headquartered in the United States. They're US companies. So, if you have terrorists communicating over these networks, we should leverage the fact that we have access to these companies that are in our country. We don't have to do anything extraterritorial to get information from them, we just send them a subpoena saying, "Hey, I need records from this selector, this email address, this Skype account, or whatever." And so, I think it made sense, certainly in the mid-2000s, to leverage that advantage that we have access to these US companies to get the type of information we need to go after terrorists. But we have this backdoor problem. It ends up capturing a lot of conversations incidentally of US persons. And we've had all of these compliance failures, I mean like every year we see a new redacted FISA court decision saying, "You're the 30 things that went wrong with Section 702 collection. And by the way, we're also going to reauthorize it for one more year." So, yeah, I mean, it's such a conundrum because it's an effective counterintelligence tool. This would be so easy if like the Call Detail Records Program, which was also something revealed by Edward Snowden, this was utterly useless in the 21st century, it's not useless, it's a very effective tool. That's why the debate here is so contentious. It's nice to see representatives of each side of this debate sitting together across the table, even if it's not the most productive discussion, at least there's kind of a line of communication that I think is worthwhile.

Dave Bittner: Another thing struck me here in this, you know, sort of strange bedfellows thing where you have both Republicans and Democrats who all have an issue with Section 702.

Ben Yelin: They sure do, yeah.

Dave Bittner: But what struck me about it was that old joke about -- it goes something like, you know, the problem with Republicans is they see everything in black and white; the problem with Democrats is they see everything in shades of gray. Right?

Ben Yelin: Yeah.

Dave Bittner: Right?

Ben Yelin: Very well put, you know.

Dave Bittner: Yeah. And this strikes me as being almost an illustration of that where the problem of that Democrats have with this is sort of more diffused and, you know, just a general policy issue where the problem that Republicans have is you came after Trump campaign aid, right, it's very specific.

Ben Yelin: Right. Now, to be fair, there are Republicans who pre-Trump had very skeptical views of FISA surveillance, have been fighting this stuff for years. I mean, Rand Paul would scream at you if you told him that this is just about you protecting Trump. Because he's been going after Section 702 for the last 10, 15 years. The same with Senator Mike Lee of Utah.

Dave Bittner: Okay.

Ben Yelin: There are some Republican senators who had no problem with FISA until it was used to surveil one of the campaigning aids of former President Trump. There are Democrats like Senator Ron Wyden, who we mention frequently on this show, who have made it a cause of their career to cut against this type of over-encompassing surveillance. And then there are members like Chuck Schumer who kind of are fine with it. They might have some policy concerns but from a cost-benefit perspective, they're okay with reviewing it, particularly under a Democratic president. So, it's not entirely cut and dry in terms of each party's viewpoints on this. There are nuances. But, yeah, I mean, it is interesting when you have this cross-ideological coalition here. One of my favorite anecdotes is Marco Rubio and Ted Cruz got into a huge fight about surveillance during a 2016 Republican presidential debate. Ted Cruz was on the pro-reform side, Marco Rubio was a stalwart defender of our post-9/11 surveillance programs. Nobody cared. I mean, the fact that that was a contentious issue in that debate and then five minutes later, Donald Trump was, you know, calling Jeb Bush Jebruh or something, and that called the attention.

Dave Bittner: Right, right.

Ben Yelin: That didn't actually happen, by the way, I was messing, the else was good. It's just so funny in retrospect that it seemed at the time that that might be a debate that was going to exist in a significant form in the Republican presidential primary.

Dave Bittner: Right, right. A good faith actual substantive policy debate. That's what we want.

Ben Yelin: Those were the days. Those were the days.

Dave Bittner: Right, right. Oh, man. All right.

Ben Yelin: Here we are once again.

Dave Bittner: Here we are. Yeah. All right. We will have a link to that story in the show notes. And, of course, we would love to hear from you. If there's something you'd like us to consider for the show, you can email us, it's caveat@n2k.com. [ Music ] Ben, you recently spoke with Rachael Ormiston of Osano. And your conversation centered on the US and EU's data privacy framework and what we might see coming from that now that it's in place. Let's listen in.

Rachael Ormiston: As we know in order to transfer our data from the EU to a country outside the EU, you have to be able to comply with European data protection requirements to show that data is going to be protected at a level at least equivalent to those in Europe. And there are a number of ways you can do this. It could be through the standard contractual clauses, or it could be having an adequacy decision such as these data-sharing agreements like the Data Privacy Framework. And when these are in place, what they mean is that personal data can be flowing freely between the EU and participating US companies if there are any additional conditions and allow them to be treated in the same way as though their transfer was being done in Europe.

Ben Yelin: And so that accrues benefits to us just in terms of the financial benefit of having these cost-free data-sharing agreements.

Rachael Ormiston: Yeah, absolutely. I think one of the things I saw in the executive order from President Biden was he was saying that there have been, I think it was $7.1 billion have been -- they were trying to be protected by making sure there was this free flow of data between the EU and the US. So, there are certainly economic benefits but there's also that consumer benefit of making sure that services can be provided across the pond. It must be frustrating. And if you're in the EU and you can't get the same service as those in the US. So, certainly making sure that the services can be provided without disruption. And then also just at an operational level, without having to have those complex standard contractual clauses in place every time you're entering into a new contract.

Ben Yelin: So, this is our third bite at the apple on this, can you just get into a little bit about the failures of both Safe Harbor and Privacy Shield? What happened? What the European Court of Justice said and your analysis as to why those agreements were ultimately struck down?

Rachael Ormiston: Yeah, so it definitely feels like we've got deja vu again because back in 2013, and after those Edward Snowden revelations around those released NSA documents, they brought around the concern that was ultimately challenging the Safe Harbor agreement because of concerns around how the US intelligence services were surveilling data. And that's been a consistent theme in the subsequent framework. So, after the Safe Harbor agreement -- or framework was invalidated, we then had the Privacy Shield framework come about. And again, those same concerns around how the US national security services and intelligence agencies are collecting data and using them is still a constant theme. I think that's one of the areas where we're concerned about for the data privacy framework, can this withstand those same challenges?

Ben Yelin: Yeah, I mean, my thoughts on it is there have been some minor reforms to these bulk surveillance programs. I know there were reforms to our bulk phone metadata program back in 2015. I know Section 702, our main surveillance authority, is up for reauthorization this year. But my sense of it is given what we've seen in the previous opinions, I don't think we've quite gone far enough to allay the concerns of the European Court of Justice. Is that your sense as well? And if so, what do you think they would need us to do in terms of reforms to our surveillance apparatus?

Rachael Ormiston: Yeah, I think there's definitely been significant progress because there has been that detail for additional particularity. Making sure that there is that necessity in proportionality that was really lacking in the previous frameworks. I think that goes to really make sure that when it comes to these requests, there is that balancing. And having those checks and balances to make sure that privacy rights and civil liberties are protected, and there is this new remedy that goes a step beyond the previous ombudsman to have this review board and I think that's certainly helpful. And I think my feeling is it's really going to come down to seeing what is operating like in practice to see whether or not it's actually enforced. So, I think that's one of the main concerns with the previous frameworks companies can certify how are they really being monitored, how are they being enforced. So, I think that will really be a case for us to identify whether or not these frameworks can continue to be durable.

Ben Yelin: Would you be able to give us some detail on this remedy and exactly how it would work? It seems like people outside of the United States would now have what's essentially a cause of action where they could petition to this review board. Can you describe that a little bit?

Rachael Ormiston: Yeah, so there is this new responsibility that's going to be actually placed on the intelligence agencies as well to make sure there's oversight from their legal, their compliance officials so that they do what they need to do. So, there's that additional component to make sure that when the data is being collected, there's some enforcement and regulation there. On the private individual level, there is this new independent and impartial redress mechanism that includes this Data Protection Review Court. And their role is to help investigate and resolve complaints regarding how data is being accessed within the US. So, theoretically, I think that's where we'll start to see more private individuals getting their concerns heard and being thoroughly investigated.

Ben Yelin: Can you talk a little bit about this guy Max Schrems, just who he is and why he has caused so many problems for these previous agreements?

Rachael Ormiston: Sure. So, Max Schrems is an Austrian individual. He has been reviewing these decisions and making sure -- following what's been going on. And he was the original one who raised the challenge over the Safe Harbor. He then followed up with the Privacy Shield invalidation. And we've also heard that his group NOYB are planning on challenging this new data privacy framework as well. He's a privacy advocate who's certainly wanting to make sure that the rights of Europeans is protected when that data is being accessed in the US.

Ben Yelin: And do you think that the way that this process is going to work is that Max Schrems himself is going to try and challenge some provision in front of that new independent review board and then if he doesn't get an answer that he's satisfied with, we're going to get Schrems III as a new case?

Rachael Ormiston: Potentially. I think the NOYB group have certainly spoken they do intend to challenge this. And I think, you know, there's certainly a lot to be said about having these challenged to make sure we do we have these enforcement mechanisms working. I think the European Commission has also said that they're confident in this new framework and that they can defend it. So, it will be interesting to see whether or not that is the path he goes down. I think certainly as a privacy advocate and as a consumer advocate that would be one path he could take that could certainly highlight any concerns that we should be thinking of.

Ben Yelin: So, if you were a US policymaker either within the administration or in Congress, what steps would you take to ensure the future and sanctity of this new agreement? Like what would you recommend in terms of legislation that needs to be passed or policies that need to be put in place to make sure that this lasts longer than the previous two agreements?

Rachael Ormiston: Sure. I think for me, I think just thinking about the fact that, you know, in Europe, there is that comprehensive privacy law that's in place in the US although there are these -- you have state-level protections. We still don't have a federal regulation that can really help govern the United States as a whole. I think that's potentially one weakness in the framework where we're still trying to think about what does that mean if you're in California versus in another state that still doesn't have that regulation yet. So, I think that would be one way where I would see that federal privacy law really being affected to help make sure that there are these equal protections on both sides of the pond. So, I hope that that definitely helps to propel some of those discussions around getting that federal regulation in place. I think the other thing is just making sure that we can start to see how these decisions and these investigations are actually being enforced. I think having that transparency to show that the mechanism is there that it exists and it works, I think that will help to combat some of those fears and reticence that there's maybe another framework that just doesn't do what we're trying to get it to do.

Ben Yelin: And that we have to move on to framework number four and --

Rachael Ormiston: Five and six, and so on.

Ben Yelin: Exactly. We'd all get very tired of this whole process. So, it does feel like deja vu. It's funny that you mentioned the federal data privacy law because I do think that's sort of the answer to a lot of our problems. But I think you're right to point out that Europe now has had five years of experience with the GDPR, they're used to that level of protection of their data and I think they're expecting that when their data is transferred to the United States. So, I think that that point is very well taken.

Rachael Ormiston: Yeah. And I think my hope is that, you know, we all learn from what Europe is experiencing. They are certainly experiencing challenges in terms of how the GDPR is enforced. And we're starting to see some of those gaps and how we fill them. So, I do hope that that comes to other countries as well.

Ben Yelin: If you had to be a prognosticator for the future -- I know this is a difficult question -- but do you think this new agreement will survive, that it will be enforceable, and that we can finally put the woes of the Schrems' cases behind us?

Rachael Ormiston: You know, I honestly have no idea. Genuinely I feel like when it comes to privacy, I feel like I have an idea. I know how it's going to work. And then the next thing, we see some -- another curveball. So I genuinely don't know but I don't think this is going to be the end of it and we're going to be living happily ever after with achieved agreement on this level. I do think there's going to be a challenge but I think this may prove more effective than the previous ones. I think it certainly has more controls, more robust measures. But I do think we are going to be seeing that challenged. And I think the other part of it is also just knowing that the landscape for privacy is just changing so rapidly as well outside of these data full agreements. We're seeing a lot more discussion on how data is being used more broadly than just personal data as we think about AI and as we think about some of the data-sharing agreements in Europe. So, I think this is certainly going to be one component but just part of an overall landscape around how we're managing data and how we're sharing it with others.

Ben Yelin: So, Rachael is there anything that we did not discuss that you wanted to contribute to our conversation about this agreement?

Rachael Ormiston: I think from my perspective, this is a really interesting development. And whether or not we are able to maintain this is going to be one that we're going to be watching for. But ultimately, the hope is that we can find a durable framework that can help privacy pros to manage privacy obligations amid all these changes that we're seeing. So, definitely an interesting development and we're watching the space to see how it unfolds and whether there are any future challenges. [ Music ]

Dave Bittner: All right. Interesting conversation, Ben. Where do you suppose we're going to go from here? I mean, it's --

Ben Yelin: I'm ready for Schrems III.

Dave Bittner: Okay.

Ben Yelin: It's coming. I mean, I think we have to see what she talked about which was this accountability mechanism where European citizens can challenge our surveillance practices in front of this new governing body, that's promising. But if they don't like the results, we're going to see a third case that might throw out this data privacy agreement for the third time. So, again, I'm not a gambling man but if I were, I do think we're going to see this back in front of the European Court of Justice. I do.

Dave Bittner: Yeah, it's interesting to me how it just seems as though the EU is taking the lead with all of this stuff. And I know there's sort of a cultural difference between how many nations in the EU view privacy versus our view here in the US. But it's interesting to me that the intertwining of the two, how this is kind of a borderless thing, you know, we can't -- for that information to flow, we have to find some sort of a happy medium here. And the EU seems to be leading the way at least in putting their foot down and saying, "We're not going to do this."

Ben Yelin: Yeah. I mean, it should provide some incentive to our policymakers to reconsider our surveillance programs. If it's inhibiting our ability to engage with these economically beneficial data-sharing agreements, it should make our policymakers think twice about it. But on the other hand, why would we listen to, you know, those crazy Europeans? We can do what we want. They should conform to our practices. So, you can kind of argue with both ways.

Dave Bittner: Yeah, yeah. All right. Well, again, our thanks to Rachael Ormiston from Osano for joining us. We do appreciate her taking the time. [ Music ] That is our show. We want to thank all of you for listening. A reminder that N2K strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. Our senior producer is Jennifer Eiben. This show is edited by Tré Hester, our Executive Editor is Peter Kilpe. I'm Dave Bittner.

Ben Yelin: And I'm Ben Yelin.

Dave Bittner: Thanks for listening. [ Music ]

Caveat
Podcast Info
HOST(S):
Dave Bittner
Ben Yelin
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Ben Yelin, JD, is the Program Director for Public Policy & External Affairs at the University of Maryland Center for Health and Homeland Security, where he consults public and private entities on homeland security, cybersecurity and emergency management policy. He is also an adjunct faculty member at the University of Maryland Francis King Carey School of Law, where he teaches courses on electronic surveillance and the Fourth Amendment.
Schedule: Wednesdays
Creator: CyberWire, Inc.