[Senate Hearing 115-803]
[From the U.S. Government Publishing Office]
S. Hrg. 115-803
THE INTERNET AND DIGITAL
COMMUNICATIONS: EXAMINING THE IMPACT
OF GLOBAL INTERNET GOVERNANCE
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON COMMUNICATIONS,
TECHNOLOGY, INNOVATION, AND THE INTERNET
OF THE
COMMITTEE ON COMMERCE,
SCIENCE, AND TRANSPORTATION
UNITED STATES SENATE
ONE HUNDRED FIFTEENTH CONGRESS
SECOND SESSION
__________
JULY 31, 2018
__________
Printed for the use of the Committee on Commerce, Science, and
Transportation
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
Available online: http://www.govinfo.gov
__________
U.S. GOVERNMENT PUBLISHING OFFICE
55-218 PDF WASHINGTON : 2024
-----------------------------------------------------------------------------------
SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION
ONE HUNDRED FIFTEENTH CONGRESS
SECOND SESSION
JOHN THUNE, South Dakota, Chairman
ROGER F. WICKER, Mississippi BILL NELSON, Florida, Ranking
ROY BLUNT, Missouri MARIA CANTWELL, Washington
TED CRUZ, Texas AMY KLOBUCHAR, Minnesota
DEB FISCHER, Nebraska RICHARD BLUMENTHAL, Connecticut
JERRY MORAN, Kansas BRIAN SCHATZ, Hawaii
DAN SULLIVAN, Alaska EDWARD MARKEY, Massachusetts
DEAN HELLER, Nevada TOM UDALL, New Mexico
JAMES INHOFE, Oklahoma GARY PETERS, Michigan
MIKE LEE, Utah TAMMY BALDWIN, Wisconsin
RON JOHNSON, Wisconsin TAMMY DUCKWORTH, Illinois
SHELLEY MOORE CAPITO, West Virginia MAGGIE HASSAN, New Hampshire
CORY GARDNER, Colorado CATHERINE CORTEZ MASTO, Nevada
TODD YOUNG, Indiana JON TESTER, Montana
Nick Rossi, Staff Director
Adrian Arnakis, Deputy Staff Director
Jason Van Beek, General Counsel
Kim Lipsky, Democratic Staff Director
Chris Day, Democratic Deputy Staff Director
Renae Black, Senior Counsel
------
SUBCOMMITTEE ON COMMUNICATIONS, TECHNOLOGY, INNOVATION, AND THE
INTERNET
ROGER F. WICKER, Mississippi, BRIAN SCHATZ, Hawaii, Ranking
Chairman MARIA CANTWELL, Washington
ROY BLUNT, Missouri AMY KLOBUCHAR, Minnesota
TED CRUZ, Texas RICHARD BLUMENTHAL, Connecticut
DEB FISCHER, Nebraska EDWARD MARKEY, Massachusetts
JERRY MORAN, Kansas TOM UDALL, New Mexico
DAN SULLIVAN, Alaska GARY PETERS, Michigan
DEAN HELLER, Nevada TAMMY BALDWIN, Wisconsin
JAMES INHOFE, Oklahoma TAMMY DUCKWORTH, Illinois
MIKE LEE, Utah MAGGIE HASSAN, New Hampshire
RON JOHNSON, Wisconsin CATHERINE CORTEZ MASTO, Nevada
SHELLEY MOORE CAPITO, West Virginia JON TESTER, Montana
CORY GARDNER, Colorado
TODD YOUNG, Indiana
C O N T E N T S
----------
Page
Hearing held on July 31, 2018.................................... 1
Statement of Senator Wicker...................................... 1
Letter dated July 31, 2018 to Hon. Roger Wicker and Hon.
Brian Schatz from Pat Kane, Senior Vice President,
VeriSign, Inc.............................................. 71
Statement of Senator Schatz...................................... 2
Statement of Senator Fischer..................................... 48
Statement of Senator Inhofe...................................... 50
Statement of Senator Capito...................................... 51
Statement of Senator Peters...................................... 54
Statement of Senator Gardner..................................... 56
Statement of Senator Hassan...................................... 59
Statement of Senator Udall....................................... 61
Statement of Senator Markey...................................... 63
Statement of Senator Cantwell.................................... 65
Statement of Senator Cruz........................................ 67
Statement of Senator Klobuchar................................... 68
Witnesses
Hon. Michael Chertoff, Former Secretary of Homeland Security
(2005-2009); Co-Founder and Executive Chairman, The Chertoff
Group.......................................................... 4
Prepared statement........................................... 5
James Bladel, Vice President of Global Policy, GoDaddy........... 11
Prepared statement........................................... 13
Roslyn Layton, Ph.D., Visiting Scholar, American Enterprise
Institute...................................................... 15
Prepared statement........................................... 16
Denise E. Zheng, Vice President, Policy, Business Roundtable..... 32
Prepared statement........................................... 33
Christopher M.E. Painter, Commissioner, Global Commission on the
Stability of Cyberspace........................................ 37
Prepared statement........................................... 39
Appendix
Hon. Bill Nelson, U.S. Senator from Florida, prepared statement.. 75
Letter dated July 17, 2018 to Hon. Chuck Grassley, Hon. Dianne
Feinstein, Hon. John Thune and Hon. Bill Nelson from
CreativeFuture Independent Film and Television Alliance........ 76
Response to Written Questions Submitted to Hon. Michael Chertoff
by:
Hon. Roger F. Wicker......................................... 84
Hon. Catherine Cortez Masto.................................. 84
Hon. Jon Tester.............................................. 86
Response to written questions submitted to James Bladel by:
Hon. Roger F. Wicker......................................... 87
Hon. Catherine Cortez Masto.................................. 87
Hon. Jon Tester.............................................. 88
Response to written questions submitted to Roslyn Layton, Ph.D.
by:
Hon. Roger F. Wicker......................................... 89
Hon. Roy Blunt............................................... 91
Hon. Catherine Cortez Masto.................................. 91
Hon. Jon Tester.............................................. 122
Response to written questions submitted to Denise E. Zheng by:
Hon. Maggie Hassan........................................... 129
Hon. Catherine Cortez Masto.................................. 129
Hon. Jon Tester.............................................. 132
Response to written questions submitted to Christopher M.E.
Painter by:
Hon. Maggie Hassan........................................... 133
Hon. Catherine Cortez Masto.................................. 134
Hon. Jon Tester.............................................. 135
THE INTERNET AND DIGITAL
COMMUNICATIONS: EXAMINING
THE IMPACT OF GLOBAL INTERNET GOVERNANCE
----------
TUESDAY, JULY 31, 2018
U.S. Senate,
Subcommittee on Communications, Technology,
Innovation, and the Internet,
Committee on Commerce, Science, and Transportation,
Washington, DC.
The Subcommittee met, pursuant to notice, at 10:00 a.m. in
room SR-253, Russell Senate Office Building, Hon. Roger Wicker,
Chairman of the Subcommittee, presiding.
Present: Senators Wicker [presiding], Cruz, Fischer,
Inhofe, Schatz, Cantwell, Klobuchar, Markey, Udall, Peters,
Hassan, Capito, and Gardner.
OPENING STATEMENT OF HON. ROGER F. WICKER,
U.S. SENATOR FROM MISSISSIPPI
Senator Wicker. Good morning. Today's Subcommittee meets to
examine international Internet policies and their impact on
U.S. businesses, domestically and abroad.
I'm glad to convene this hearing with my good friend and
colleague, Ranking Member Schatz.
The Internet, as we know it, has become one of the most
important inventions in history. We use it for just about
everything. Thanks to infrastructure investments and ingenuity,
the Internet is now an economic engine driving job creation and
unprecedented access to information and opportunities.
In a short time, the World Wide Web has transformed into a
global interconnected information super highway facilitating
growth, freedom, and economic prosperity.
The multi-stakeholder governing model has been key to the
Internet's development across the world. This model has
fostered the creation of a dynamic Internet economy that
promotes investment and innovation.
We owe many of the cutting edge products and services we
enjoy today to the Internet economy. Underpinning this economy
is Internet data. As the Internet grows and more people and
things become connected, the volume, quality, and variety of
Internet data increases.
This is driving the development of new businesses and
services and it is enhancing online experiences for consumers.
Internet data is an essential commodity for businesses to
compete and grow in the global digital market.
The importance of Internet data has not gone unnoticed
internationally. In fact, it has expanded the focus of the
conventional Internet governing agenda.
Traditionally, Internet governance has centered on the
formation of policies and rules dedicated to the Internet's
technical development across jurisdictions. While this remains
an important function and primary focus, the increasing value
of data has shifted attention to the collection, use, movement,
and overall treatment of Internet data.
The rise of data where localization rules following how
data can be process in a certain territory or jurisdiction
along with local content requirements, Internet censorship
policies, and cybersecurity laws are a few examples of this
growing trend.
Policies targeting data and networks often stem from a
country's interest in fostering its own innovation or
protecting its people from possible data misuse, but here's a
new problem.
The global nature of the Internet means that the impact and
power of these laws goes beyond a jurisdiction's borders. U.S.
companies are compelled to change business models or alter
operations to achieve compliance in foreign markets, and
they're experiencing disruptions in their own domestic
operations, as well. The result is less job creation, less
investment, and less innovation in the United States.
Consumers are feeling the effects of international Internet
policies. Overly restrictive limitations on data movements or
inconsistencies across jurisdictions ultimately deliver an
Internet experience to consumers that is less personalized and
more expensive to access.
Today, we look forward to examining the impact of global
Internet policies on U.S. businesses and consumers as well as
the continued development of the Internet around the world.
I would mention that I'm Chairman of the Helsinki
Commission and as part of the Commission's mission, we promote
economic cooperation overseas and I also look forward to
discussing the appropriate role that Congress should play in
enhancing international coordination on the future Internet
policies and empowering U.S. businesses to prosper in today's
global Internet marketplace.
This is critically important to maintain U.S. leadership
and data-driven innovation and Internet technologies for years
to come.
I welcome the witnesses here today. I will introduce them
in a moment after we've heard an opening statement from Senator
Schatz.
STATEMENT OF HON. BRIAN SCHATZ,
U.S. SENATOR FROM HAWAII
Senator Schatz. Thank you, Mr. Chairman. Thank you for
holding this hearing.
We are here today to talk about governing an Internet that
is truly international. It serves billions of people who have
different cultural and economic values and ideas of how it
should work and that presents a challenge.
We also have more specific challenges, such as online
terrorism, foreign propaganda, interfering in elections, state-
sanctioned surveillance, and misinformation that can lead to
violence, and as we consider them, we have to ask how they can
be addressed without compromising basic human rights, such as
free speech or privacy.
Approaching any one of these challenges would require a
long and technical conversation and so it's unrealistic to
think that we can solve all of these weighty policy issues with
a hearing or two, but what we can do here is highlight and
demonstrate support for the forums where these discussions can
happen in a more comprehensive manner.
The IANA transition from NTIA to ICANN is a good example of
how a technical governance of the Internet is best served by a
process in which all stakeholders participate. These include
industry, civil society, academia users, and governments.
Government-driven forums, like OECD, G7, G20, and WTO, also
allow people to come together to address important Internet
policy issues, including security, economic development, and
trade.
Russia, China, and Iran use these forums to push for
agendas that censor speech, enable government surveillance, and
restrict free markets. That's why the U.S. and our allies need
to maintain our leadership to preserve and advance democratic
principles. Similarly, a free and open Internet is in our
common interests.
The Internet started in the United States. It is
intertwined with the fabric of our daily lives from basic
activities, like checking the weather, to exercising our
fundamental civic rights and democratic values, and that's why
we have to show up and lead these forums and to continue to be
the indispensable nation.
This is generally true for international policy issues, but
it's especially true for the governance of the global Internet.
Unfortunately, our leadership is being jeopardized by this
Administration. Last year, Secretary Tillerson eliminated the
cybersecurity coordinator role and demoted its
responsibilities, putting it under the Bureau of Economic
Affairs, and earlier this year, National Security Advisor John
Bolton eliminated the White House cyber coordinator role.
Congress is working to reinstate the Office of Cyber
Coordinator at the State Department and we hope to persuade the
White House to re-establish the Cyber Coordinator role in the
NSC.
The U.S. Government needs to play an active role in helping
to set reasonable rules of the road for Internet governance.
This means protecting the existing international and multi-
stakeholder processes and in this global context, our standing
down will create a vacuum for authoritarian regimes.
I look forward to hearing from the witnesses about how we
can better engage with the international community to address
the many challenges facing the Internet today.
Thank you, Mr. Chairman.
Senator Wicker. Thank you, Senator Schatz.
We are delighted today to have the Honorable Michael
Chertoff, former Secretary of Homeland Security and Co-Founder
and Executive Chairman of The Chertoff Group, Washington, D.C.;
Mr. James Bladel, Vice President of Policy, GoDaddy, of
Scottsdale, Arizona; Dr. Roslyn Layton, Visiting Scholar, the
American Enterprise Institute in Washington, D.C.; Ms. Denise
Zheng, Vice President for Policy of The Business Roundtable, in
Washington; and Mr. Christopher Painter, Commissioner, Global
Commission on the Stability of Cyberspace, Washington, D.C.
Let's take 25 minutes evenly divided among our witnesses
for opening statements, and, Secretary Chertoff, we'll begin
with you and just go down the table.
Welcome.
STATEMENT OF HON. MICHAEL CHERTOFF,
FORMER SECRETARY OF HOMELAND SECURITY (2005-2009);
CO-FOUNDER AND EXECUTIVE CHAIRMAN,
THE CHERTOFF GROUP
Secretary Chertoff. Well, thank you, Mr. Chairman, and
Ranking Member Schatz, and members of the Committee, for
holding this hearing, which is very timely.
I've submitted a written statement which I request be made
part of the record.
Senator Wicker. All of the statements will be made a part
of the record.
Secretary Chertoff. And I should just point out that I
serve with Chris Painter on the Global Commission on Stability
of Cyberspace. So we interact quite a bit on this issue.
Let me just try to make a few brief points. As both the
Chairman and Ranking Member indicated, obviously the value
proposition of the Internet in many respects rests upon its
global nature. In fact, it connects up networks all around the
world and therefore when you have the prospect of fragmentation
or localization, you run the risk of undermining the
fundamental value of the Internet because you would wind up
with a number of different networks.
This is important not only because we value freedom and the
ability to communicate with others around the world and to have
discourse about matters of public importance but because this
is critical to our economy. The reality is the Internet has
transformed the nature of our economic activity.
It allows us to promote exports. It allows us to--if I can
use the phrase--dis-intermediate between buyers and sellers, so
we now have the ability of people to sell directly, whether
it's auctioning on eBay or signing up to look for drivers under
Uber or Lyft or other ride-sharing programs, and in many
respects, this is part of what is fueling global growth around
the world.
It's also true that much of the innovation and the
ingenuity behind the Internet, which is part of the market
value of many of our most prominent companies, depends upon
having a global market and that means a global Internet.
Without a global Internet, that market dries up. So we have a
very strong interest in dealing with this issue.
It also means that no one country can control the outcome.
We have to work with our partners. Now KANDR compels that we
recognize that the Russians and the Chinese have a different
view and in many cases, to the Russians and the Chinese,
information they don't want their public to read is what they
regard as cybersecurity and that's, of course, the opposite of
what we view as important.
So I would make, I think, three points about what we ought
to address. One is I do think we need to continue to promote
what has been described as the multi-stakeholder model of
Internet governance. That means making sure we get not just
government but civil society, business, and consumers into the
mix in deciding how the Internet is going to be operated.
The Russians and the Chinese often look to put the
governance in bodies, like the United Nations, which would
politicize and give them in many cases control over the
outcomes for their own purposes, and I would emphasize that
often rules that appear to be merely technical actually have a
great deal of real substance because your ability, for example,
to control the domain name registry system and to decide, you
know, who controls basically the traffic flow in many cases is
the key to whether you censor the Internet or you have it be
wide open.
A second issue is we do have conflicting laws in different
jurisdictions. The Internet is borderless, the data is
borderless, but the laws have borders, and we often do wind up
with conflicts.
Congress has passed the CLOUD Act, which has opened the
door to resolving some of the conflicts about lawful access by
the authorities to data that may be held in another country and
that's a good step forward, and we need to continue to work on
resolving these disputes among legal jurisdictions about who
gets to access information and what the substantive rules are,
in particular because we prize the First Amendment. We want to
make sure that other countries don't use their power over
multi-national global Internet companies to drive a vision of
censorship that would fundamentally undermine our
constitutional values.
And, finally, I would say, and Full Disclosure is a book
I've just written recently, that we need to talk about what
privacy is like in an era when we are generating so much data
globally that the idea of keeping it all hidden is a ship that
has sailed and now it becomes an issue of how do we control the
data and what rights do we as citizens and consumers have to
make sure that our data is not being used in ways that we don't
agree to or that will hurt us and so these are very meaty
topics.
I look forward to answering questions from the Committee on
any and all of these.
Thank you very much.
[The prepared statement of Secretary Chertoff follows:]
Prepared Statement of Hon. Michael Chertoff, Former Secretary of
Homeland Security (2005-2009); Co-Founder and Executive Chairman, The
Chertoff Group
Introduction
As we are all aware, the Internet knows no borders. National
sovereignty and borders, key elements of how those of us in the West
have looked at legal and political issues since the Peace of
Westphalia, lack their traditional meaning in a digital world in which
data moves between servers and users without regard for their location
or nationality. I can just as easily access my e-mail in Geneva as I
can in Washington. My service provider can seamlessly move my data
between data centers in dozens of countries, with the decision to do so
made by an algorithm. In some instances, a provider may not even know
the physical location of the data, the underlying ones and zeros, or
may ``shard'' the data, spreading it across multiple locations.
In this environment, it is nearly impossible for any one country to
claim sovereignty over ``their portion'' of the internet. A country may
have jurisdiction over the physical infrastructure of the Internet
within their country, but it cannot control the infrastructure beyond
its borders nor can it control the services and offerings of providers
in other countries. Practically speaking, the only way to truly control
the Internet within your country is to disconnect it from the rest of
the world, as Russia recently threatened to do and as North Korea has
done for much of its domestic population (leaving aside the activities
of the country's cyber warriors).\1\ Even China's Great Firewall, a
costly but reasonably effective means of control, is unable to
completely stem the flow of information deemed objectionable by the
Chinese Communist Party to citizens within its borders.
---------------------------------------------------------------------------
\1\ See https://www.theregister.co.uk/2017/12/01/
russia_own_internet/, https://www.scmp.
com/news/asia/east-asia/article/2119146/how-north-korea-slowly-
embracing-its-own-sealed-version-internet
---------------------------------------------------------------------------
More importantly, taking such drastic action comes at a significant
cost. The Internet is now a vital part of the U.S. and the global
economies. In 2016 e-commerce sales in the U.S. totaled approximately
$400B, or roughly 10 percent of all retail sales.\2\ Mobile and
Internet banking use in the U.S. has also exploded, resulting in 2.5B
bill-payment transactions in 2012 alone.\3\ Beyond these transactions
are entire companies built on the power of the internet, such as Google
and Facebook. The Internet has also fostered entirely new segments of
the economy, such as ride and home sharing.
---------------------------------------------------------------------------
\2\ See https://www.census.gov/newsroom/press-releases/2018/estats-
report.html
\3\ See https://www.frbservices.org/assets/news/research/2013-fed-
res-paymt-study-summary-rpt.pdf
---------------------------------------------------------------------------
Beyond the economics, the Internet serves as a massive, if
imperfect, laboratory for democracy and free speech, allowing for the
free exchange of ideas and information between all users regardless of
nationality, location, or class. It has also allowed for large scale
collaboration, resulting in the creation of the world's largest
encyclopedia, Wikipedia, and various crowdfunding sites that allow
individuals to raise funds for their ventures beyond the traditional
confines of banks and institutional investors. On the darker side of
things, the Internet has also given rise to a dark web that facilitates
the sale of illicit goods and gives opportunities to criminals to
conspire and collaborate in private.
Need for coordinated action on cyber (international and bilateral)
The Internet has proven to be a vital economic and social tool,
vastly expanding economic opportunity while allowing for the free
exchange of thoughts and ideas. It is something that is worth
protecting, but also something that requires regulation and policing.
However, this global nature also necessitates an appreciation that the
actions of one country can have impacts far beyond that country's
borders, and conversely, that broader Internet and cyber policy aims
can only be fulfilled through cooperation with other countries.
That said, we must recognize that not all countries view the
Internet in the same way nor appreciate its significant social and
democratic value to society. China, Russia, Iran, and many other
authoritarian countries view the Internet as a threat to the governing
regime and thus require significant controls and monitoring. In such
countries various websites are blocked, applications prohibited, and
communications monitored for seditious speech or efforts that might
challenge the regime's hold on power. While these countries are part of
the global network, the reality is that we are never going to see eye-
to-eye with them on important issues of Internet governance, nor will
the U.S. and its allies be able to convince them to abandon their
efforts and allow unfettered access to materials that might undermine
them.
And so, it is up to us to cooperate and build consensus with like-
minded countries, other democracies and Western countries who agree on
the broader principles of the Internet but may disagree about how to
regulate, shape, and manage it. We must recognize that we may, at
times, disagree with even our closest allies on policy particulars, but
in the end, it is better to reach an imperfect compromise with them
than allow for the disintegration of the Internet as we know. So much
of the internet's value is in its global nature, and we must work
across international borders if we hope to preserve it as a common
good.
Without that cooperation we are likely to see new barriers,
intended or not, appear and impede the development and growth of the
internet. Data localization requirements, for example, may be enacted
to protect a country's citizens' data, but have the more practical
effect of significantly raising costs, diminishing competition,
frustrating international commerce, and preventing citizens from
accessing the services of providers based outside their own country.
New regulations may be enacted to protect users' privacy but result in
unexpected delays in cross-border law enforcement cooperation. The best
way to avoid such barriers is to work with other countries to address
these issues, as many countries share the same concerns and would all
benefit from coordinated action.
At present, the mechanisms for such cooperation are limited.
Broader international bodies, such as the United Nations and
International Telecommunications Union, include stakeholders from
authoritarian countries which may use those bodies to pursue policies
contrary to our vision for the internet. The European Union has
arguably been the most successful multi-national body on this issue,
developing Europe-wide policies such as the General Data Protection
Regulation (GDPR). Some progress has also been made on bi-lateral
solutions, such as the law enforcement data sharing agreements
authorized by the recently enacted Clarifying Lawful Overseas Use of
Data (CLOUD) Act, which allows for the U.S. to enter into bi-lateral,
reciprocal law enforcement data access agreements with countries that
meet a specified set of legal and human rights criteria. The first such
agreement, between the U.S. and the U.K., is currently working its way
through the approval process.
A variety of other organizations have also worked to address these
issues. The Global Commission on Internet Governance and the Global
Commission on Stability in Cyberspace, on which I have served, work to
counter the fragmentation of the Internet and offer guidance to policy
makers seeking to address Internet governance issues.\4\ Toomas Hendrik
Ilves, the former President of Estonia and Visiting Fellow at the
Hoover Institution at Stanford University, recently proposed what he
termed a new ``Cyber NATO,'' a coalition of liberal democracies that is
better able to meet the ubiquity of cyber threats and ensure proper,
adequate response.\5\ The President of Microsoft, Brad Smith, has
proposed what he has dubbed a ``Digital Geneva Convention,'' which
outlines the rules of cyberspace and protects civilians and other
bystanders from the offensive cyber activities of nation-states.\6\
---------------------------------------------------------------------------
\4\ See https://www.cigionline.org/sites/default/files/
gcig_final_report_-_with_cover.pdf
\5\ See https://berlinpolicyjournal.com/a-digital-defense-alliance/
\6\ See https://blogs.microsoft.com/on-the-issues/2017/02/14/need-
digital-geneva-convention/
---------------------------------------------------------------------------
The above is just a brief snapshot of the need for international
cooperation on Internet governance, be it multi-lateral or bi-lateral.
Ultimately, the U.S. will be best served by working with countries that
share its values and vision for the Internet to find a mutually-
agreeable approach to the myriad of privacy, security, regulatory, and
management issues that face the Internet as we know it. The U.S. would
also be well served to consult with key stakeholders throughout the
process, considering the concerns of the technology industry, the
privacy community, and other actors as it develops its strategy for
international engagement cooperation on Internet governance and related
cybersecurity issues. The costs of non-cooperation would be severe and
ultimately harm the U.S., and the rest of the world, economically and
socially.
Privacy needs and the impacts of inaction
Today's rampant technology, and the convenience and opportunity it
offers, has numbed us to our loss of privacy. The availability of data
is only going to grow in years and decades to come and we urgently need
to regulate how government and the private sector can make use of that
information. The creaky and dated legal framework that currently
governs the collection and use of personal data was created decades ago
when phone records and photographs constituted metadata. The U.S. needs
a legal and policy structure built for the way the 21st century uses
data--one that retains security and economic benefits without
sacrificing Americans' liberty and civic values.
Privacy as we know it has been forever at least substantially lost,
and the collection of data will--and must, for security reasons--
expand. What must be preserved, however, by new laws and regulations is
our autonomy--the ability to make our own personal choices restricted
only by transparent laws and social norms, and to have a reasonable
degree of ownership and control over the data we generate.
In March of this year, news broke that Cambridge Analytica was
regularly harvesting our data for the purposes of manipulating American
voters in favor of the Trump Campaign in 2016.\7\ The entering wedge of
Cambridge Analytica's data collection was an apparently limited request
by a developer to have Facebook users complete an online survey.
Slightly over a quarter of a million did so. But by downloading the
survey, they opened the door to collection of data about all their
friends and their other on-line interactions. As a result, data
relating to approximately 50 million individuals was captured. Most of
these people did not know that their information was being used.
Perhaps improperly, this data was transferred to Cambridge to applying
machine learning algorithms to correlate granular connections between
individuals and their likely political predilections and interests.
This analysis could then be applied for precisely targeted,
individually focused political advertising aimed at potential voters.
It is debatable whether this had an impact on the election outcome, but
it is certain that political campaigns and even governments will
continue efforts to refine and apply the political marketing
techniques.
---------------------------------------------------------------------------
\7\ See https://www.cnbc.com/2018/03/21/facebook-cambridge-
analytica-scandal-everything-
you-need-to-know.html
---------------------------------------------------------------------------
And the purpose of those techniques will not only be to affect
elections. As we have seen, information from Russia and other foreign
powers has been used to create social division, sow public distrust,
and even foment unrest. Weaponized data is the newest tool in the
armory of subversion.
What all this illustrates, is that personal data has become one of
the most valuable assets of the modern age. That is evident from the
fact that many of the companies with the highest market capitalization
are essentially earning revenue from data adapted to commercial
marketing. But the value of these data assets increasingly also lies in
their utility as a tool to drive political behavior, impact social
stability, and even affect national security.
Even more significant, the business of aggregating and reselling an
individual's data from multiple sources--social media, online searches,
consumer purchases, and locational data--means that people will
increasingly be subject to pressure to change their behavior from
multiple sources: employers, insurers and governments. By way of
example, China has embarked on a ``social credit'' plan to aggregate
myriad data points of online and offline behavior, and award
individuals a ``score'' that will affect their life prospects.\8\
---------------------------------------------------------------------------
\8\ See https://www.businessinsider.com/china-social-credit-system-
punishments-and-rewards-explained-2018-4
---------------------------------------------------------------------------
For all of us what this means is that all the data we generate has
become as valuable, and as worthy of safeguarding, as our money in the
bank. Privacy--in the sense of shielding data from others--has been
frayed given how easily third parties can collect and fuse our data.
What must be protected now is our freedom of action, which requires
that we take greater ownership and control of our data even when it is
accessible to others.
Data security regulation and policy solutions
Part of the remedy will be adaptations in the law and regulation,
changes that must allow for innovation but also the need to protect
individuals from having their data abused or weaponized. When user data
is collected by a platform to improve the user experience, consent
should be readily presumed. But when the data is being used for other
commercial purposes, or transferred to third parties, the law should
mandate that the proposed new use of this data be clearly explained to
the user, and the user's affirmative approval should be required.
Opting in or out of this kind of data sharing should always be the
user's choice and should not be the result of pressure or deception.
Finally, platforms should be required to describe and make available to
the user all the types of data being collected about him or her.
But the remedy also requires each of us becoming mindful of how and
when we share our data. Sometimes that means we should not share data,
or that we should pay for an online service instead of accepting a
``free'' benefit that we pay for with our personal information. We
should also be careful about completing online surveys because the data
we enter could wind up in different hands than we expect. Even more
critical, we should consider that our online communications with
friends may be harvested if those friends agree to grant access to
their data. Finally, we must educate ourselves about the way data can
be used to influence us, and to train ourselves to evaluate these
messages critically.
Some data regulation had already progressed both abroad and at the
state level. Under the GDPR, EU citizens have a right to know what's
being done with their data, and a right to access it. GDPR requires any
company doing business in the EU that interacts with and processes data
of people in the EU to get explicit consent from users for every
possible use to their data. Users will have a right to be
``forgotten;'' as in being able to request that a company delete their
data, stop sharing it and force third-party firms from using it as
well.\9\
---------------------------------------------------------------------------
\9\ See https://www.lawfareblog.com/summary-eu-general-data-
protection-regulation
---------------------------------------------------------------------------
In June of this year, California recently passed one of the
toughest data privacy laws in the country, the California Consumer
Privacy Act of 2018, impacting how businesses will be required to
disclose the types of data that they collect, as well as allow
consumers to opt out of having their data sold.\10\ The legislation,
which is similar to Europe's new GDPR protections, gives consumers more
control over their personal data. It grants them the right to know what
information companies like Facebook and Google are collecting, why they
are collecting it, and who they are sharing it with. Consumers will
have the option of barring tech companies from selling their data, and
children under 16 must opt into allowing them to even collect their
information at all.
---------------------------------------------------------------------------
\10\ See https://www.theverge.com/2018/6/28/17509720/california-
consumer-privacy-act-legislation-law-vote
---------------------------------------------------------------------------
While the legislation is a positive step forward for consumers'
privacy, I acknowledge that addressing privacy through dozens or
hundreds of regulations various states and cities would be unworkable,
and that their needs to be a broader solution at the national and
global levels. However, the country or state that takes the most action
and has critical mass will ultimately have the most impact. Take the
California Emissions Standards legislation as an example. Automakers
were compelled to more or less follow those standards nationally once
the automakers in the region were forced to comply with a higher level
of emission standards than the Federal requirement. To date, 12 states
and the District of Columbia follow the California standards.
Similarly, the jurisdictions that lead on data privacy legislation and
impact most U.S. companies could effectively set the national standard.
Defending against disinformation across Western democracies and
election interference
Attacks on democracy will affect all parties. If we want to
establish concrete solutions, we need to exchange knowledge and take
global-minded actions. Organizations like the Transatlantic Commission
on Election Security, for which I am the co-chairman, focus on finding
solutions to three major election meddling strategies: manipulation of
social media, tampering with social infrastructure and leaking
confidential documents. Working with political and private sector
leaders, traditional and new media actors, and non-governmental
organizations, the Commission promotes transatlantic coordination,
identifying and plugging gaps and raising awareness of this important
issue. It will also investigate the level of risk exposure across
Western countries and provide concrete recommendations to address this
problem head on.
A positive step forward are private sector initiatives like
Microsoft's ``Defending Democracy'' initiative (with which I work).
This initiative engages with stakeholders in democratic countries
globally to protect campaigns from hacking through:
increased cyber resilience measures, enhanced account
monitoring and incident response capabilities;
increased political advertising transparency online by
supporting relevant legislative proposals such as the Honest
Ads Act and adopting additional self-regulatory measures across
our platforms;
technological solutions to preserve and protect electoral
processes and engage with federal, state and local officials to
identify and remediate cyber threats;
defending against disinformation campaigns in partnership
with leading academic institutions and think tanks dedicated to
countering state-sponsored computational propaganda and junk
news.
Information Sharing
Cybersecurity information sharing, that is, the sharing of threat
data, indicators, Tactics, Techniques, and Procedures (TTPs), and other
data, is vital to helping others detect and prevent a cyber-attack.
What makes information sharing so important is the fact that our cyber
infrastructure is so diffuse. While one entity, such as the FBI,
Google, or Microsoft, may be aware of a particular vulnerability or
threat, it can take days, weeks, or even months before the relevant
information spreads throughout the cyber ecosystem and results in the
deployment of patches, installation of new technologies, changes in
network architecture, or the adoption of new policies that adequately
counter the threat. Such information sharing is likely the most mature
within the Federal Government, where agencies, particularly within the
Intelligence and Defense communities, share vital information with one
another to protect Federal networks.
The good news is that information sharing efforts are also growing
within the private sector of the United States, though much can still
be done. Some of the greatest progress has been made through the growth
and use of Information Sharing and Analysis Centers (ISACs) and
Information Sharing and Analysis Organizations (ISAOs), which
coordinate the sharing of threat information among entities from a
single sector or geographic region. Some of the most successful ISACs
and ISAOs, including the Financial Sector ISAC (FS-ISAC) and the Multi-
State ISAC (MS-ISAC), have been able to coordinate the sharing of
significant volumes of threat information between private and public
entities while working with Federal agencies to ensure that the threat
information that they are able to provide is also reflected within
their ecosystem.
However, more can be done to grow information sharing beyond the
government space and a relatively limited portion of the private
sector. First, the Federal Government can do more to encourage private
sector information sharing both by enhancing incentives for private
sector companies to participate and by making it easier for those
companies to access threat information data from Federal agencies.
Second, at present, information sharing across international
borders is exceedingly difficult. Unclear data privacy requirements,
data transfer limitations, and other legal uncertainties often prevent
or significantly delay the sharing of threat information data between
private entities in different countries. The United States should work
with its international partners to help ease these restrictions while
maintaining and respecting relevant privacy protections for sensitive
personally identifiable information.
Third, international information sharing between governments can
also be enhanced. While cooperation between U.S. intelligence agencies
and those of our allies is generally effective, such cooperation is far
less common between civilian agencies, sometimes because of the same
regulations that frustrate private sector information sharing across
international borders. We can do more to enable this information
sharing and build stronger relationships between the Department of
Homeland Security, which is responsible for the protection of Federal
civilian networks, and its counterparts in allied countries.
Five Frameworks for New Laws and Rules to Enhance Security and Civil
Liberties
Finally, I would offer this committee and their colleagues in
Congress five frameworks that they should contemplate as they consider
how best to address the cyber threats facing our country and the policy
challenges that those threats and changing technologies present. While
no one framework is a silver bullet for the challenges we face, each
helps to illustrate both these challenges and some of the specific
solutions that could address them.
First, to protect us against attacks on our physical and cyber
security by bad actors while simultaneously preventing the government
from overreaching to threaten our autonomy, we must recognize that data
requires both a loosening on what information can be collected and
stored by or for government and at the same time tightening of the
standards under which that information can be inspected, analyzed, and
used. We should grant the government necessary authority to access and
collect data. The government cannot effectively disrupt criminal
enterprises or foil terrorist plots without following a digital data
trail that may only appear significant with the passage of time. The
trail goes cold if the government does not have initial access and
collection capability so that the relationships in the data can be
analyzed in context. Note, however, that I am not advocating that
private companies build vulnerabilities, like decryption backdoors,
into their systems to assist the government. The government should use
its own resources; this burden remains on the government.
But even as restrictions on access and collection are loosened,
restraints on government inspection (human or robot), analysis,
dissemination, and use of that data should be tightened to strengthen
civil liberties protections against abuse of that data. In the interest
of individual autonomy, this balances the need to preserve useful
information with the need to control human access--and possible
misuse--of that information.
Second, consider the spectrum of active defense when our
enterprises or homes are attacked by cyber criminals, terrorists, or
adversary nation-states. I suggest that licensing private actors to
defend their networks could help the United States stem the flow of
intellectual property--the greatest heist in history. But to mitigate
the risks of unintended consequences and uncontrolled escalation of
conflict, the government must restrict these licenses to specific
activities and set clear rules of the road. In particular, no private
party should be allowed to retaliate against or invade another
network--even if it is the source of a hacking attack--unless under the
direction and control of an appropriate law enforcement or judicial
authority.
Third, to avoid fragmentation of the internet, and the consequent
huge global economic cost, Congress should work with other countries to
develop uniform laws governing both the legal process for obtaining
data and the substantive laws governing that data. This will require
creation of enforceable treaties or international agreements that focus
on protecting the rights of the data subject, since the focus of
personal autonomy is reasonable control over one's own data. The
objective of this developing international law regime should be to
avoid inconsistencies that lead to individual national laws that
mandate data localization and thereby compromise the global
architecture and freedom of movement of Internet data.
Fourth, the law must evolve to control the use private parties can
make of individual data. In a world in which people inevitably give off
digital exhaust and often cannot give meaningful consent to the use of
their data by apps or third parties, the law should shift the default
to better protect privacy and autonomy. As some European regulators are
currently insisting, this means that enterprises seeking to use data
for purposes other than improving the particular service engaged by the
user--for example, reselling to third party marketers--should be
required to obtain that user's affirmative or ``opt-in'' consent. Even
more explicit consent from the data subject should be mandated when a
data aggregator or platform seeks to resell or repurpose an
individual's data that was obtained from the third parties who
initially collected that subject's data without consent. For those
aggregators or platforms whose market position makes them effective
monopolists, consent may be deemed insufficient; regulators may need to
impose limits on the data uses a monopolist may engage in and might
even require a fee be paid by the company to the subject for certain
uses.
Most important, the law must limit the ability of corporations to
coerce individuals into consenting to broad surrender of control over
their data. Thus, the ability of employers or insurance providers to
insist on virtually limitless access to individual data as a condition
of employment or affordable premiums should be tailored to apply only
to information reasonably related to employment or insurability. And
data collected for these reasons should be barred from resale or use
for unrelated purposes.
Indeed, noting that NGOs have developed transparency indices for
how well tech companies respond to government requests for their users'
data, we should develop transparent accounts or regulations for how
private companies are using, and especially sharing, individual users'
data.
Fifth, the law must incentivize private parties to collaborate with
the government in protecting against shared vulnerabilities. The vast
majority of IT infrastructure is in private hands, but the Internet
makes it interdependent. Without government expertise and even
regulation, coupled with private sector ingenuity and commitment, the
Internet infrastructure will continue to fall prey to its weakest link.
As part of this effort, the law should encourage and protect
information sharing directly and in real-time among private and public
entities on both industry-focused and regional bases.
Conclusion
If there is an overarching lesson to be drawn from the technology
revolution, it is that our day to day lives are described and even
defined by data. We generate data, it tracks our behavior, preferences,
location and even intentions. Data is used to incentive us, deter us,
and even coerce us. If others, be they government or private actors,
manage our data, they effectively control much of what we do.
The Internet was intended as a force to empower individuals, to
forge global connectivity, and even to promote freedom. Although some
believe that the Internet can be a law-free, almost anarchic zone, I
believe that the above demonstrates that without thoughtful rules, the
Internet can be a tool to constrain individual autonomy, to bully, and
to manipulate.
One way to look at the sea of data in which we currently swim is as
a global public good. Such a public good has value only if there are
rules that prohibit overreaching interference and disruption. We must
therefore develop rules to prevent powerful institutions and bad actors
from using Internet data to damage, rather than enhance, our autonomy.
Senator Wicker. Thank you, Mr. Secretary.
Mr. Bladel.
STATEMENT OF JAMES BLADEL,
VICE PRESIDENT OF GLOBAL POLICY, GODADDY
Mr. Bladel. Thank you. Good morning, Chairman Wicker,
Ranking Member Schatz, and Subcommittee Members.
My name is James Bladel, and I'm the Vice President of
Global Policy for GoDaddy, and we appreciate the opportunity to
testify before you today.
GoDaddy is the world's largest web platform dedicated to
independent ventures. We provide the tools, insights, and
people necessary to enable small businesses and aspiring
entrepreneurs or anyone with an idea to get that idea up and
running online and every idea starts with a domain name.
A domain name, whether it's a dot com, a dot org, or a new
extension, like dot app or dot blog, is essential to creating
an online identity. GoDaddy currently manages over 76 million
domain names for our 18 million customers worldwide and whether
that customer is a florist in Mississippi or a baker in London
or a web designer in Mumbai, our mission is to provide an
excellent customer experience that is uniform around the world.
The focus of this hearing is on the impact of international
policies and regulations on end user experiences and global
competition online and today, I would like to discuss the
following three issues.
First, the adoption of laws and regulations by countries
that are designed to exclude American companies; second, the
patchwork of privacy laws and regulations; and, third, the dot
com cooperative agreement between NTIA and Verisign, which
underpins the global Internet domain system.
Internationally, we're seeing an increasing number of
countries adopt laws and regulations that make it more
difficult to serve our customers in those markets. We have
encountered numerous examples of foreign regulations on
Internet providers that would require us to establish a local
presence or use local banks or even hire a local workforce all
in order to gain access to that market.
Some nations aggressively regulate content and censor
political or religious views. Taken together, all of these
regulations stand in the way of GoDaddy reaching new customers,
competing in new markets, and developing innovative products,
and laws like these are harmful to providers and to consumers
alike and are a barrier to free trade.
There's also an increasing number of new privacy
regulations, such as the European Union's new General Data
Protection Regulation, GDPR, and these regulations have created
a patchwork of laws with which companies must comply in order
to operate globally.
GDPR compliance was a major undertaking for GoDaddy. GDPR's
touched every aspect of our industry but, most notably, it has
significantly disrupted the WHOIS Service, which is a directory
of contact information for domain name registrants.
WHOIS is a two-edged sword. It serves an important tool for
law enforcement and other stakeholders, but it's also a gold
mine of personal data for spammers.
Currently, we're engaged with representatives of law
enforcement agencies and our colleagues at ICANN to try and
strike the right balance between providing access to WHOIS for
legitimate purposes while also protecting the private
information of our customers.
Also crucial to the health of the Internet is the 20-year-
old cooperative agreement between NTIA and Verisign that
governs the dot com registry.
As you're aware, dot com makes up about 80 percent of
domain names and the cooperative agreement holds the wholesale
price of dot com domain names at $7.85 per year. This is
scheduled to expire in November and it's our understanding that
NTIA and Verisign are currently in talks to renew and possibly
amend this agreement, which could potentially raise prices.
GoDaddy serves millions of small customers and in our
experience they're very sensitive to any price increase. We
believe it's important to preserve price caps in any renewal of
the cooperative agreement.
Eventually, we believe our industry and all consumers would
benefit from the full dot com agreement being put out for
competitive bid. The Internet has matured over the last 20
years and while we have no complaints about Verisign's
performance of the contract, there are now several companies
that could capably operate the dot com registry equally as well
and perhaps at lower wholesale cost.
So thank you again for the opportunity to testify here
today. We believe the United States must continue to push back
on protectionist policies imposed by other countries and to
help mitigate a global patchwork of inconsistent and unclear
privacy laws and, further, we are hopeful that NTIA will
increase transparency and extend the current dot com pricing as
associated with any renewal of the cooperative agreement and
engage with ICANN and other stakeholders to put that agreement
out for competitive bid.
So thank you for your time, and I look forward to your
questions.
[The prepared statement of Mr. Bladel follows:]
Prepared Statement of James Bladel, Vice President of Global Policy,
GoDaddy
Introduction
Good morning, Chairman Wicker, Ranking Member Schatz, and
subcommittee members. My name is James Bladel, and I am the Vice
President of Global Policy at GoDaddy. We appreciate the opportunity to
testify before you today.
GoDaddy is the world's largest web platform dedicated to
independent ventures. We provide the tools, insights, and people to
enable small businesses, aspiring entrepreneurs, or anyone with an idea
to get that idea up and running online. Every idea starts with a domain
name and building an online presence.
A domain name, whether it is a dot-COM, dot-ORG, or a new extension
like dot-APP or dot-BLOG, is critical to establishing an online
identity. GoDaddy currently manages over 76 million domain names for 18
million customers worldwide. Whether that customer is a florist in
Mississippi, a baker in London, or a web designer in Mumbai, our
mission is to provide an excellent customer experience that is uniform
around the world.
The focus of this hearing is the impact of international policies
and regulations on end user experiences and global competition online.
Today, I will discuss the following three issues:
Adoption of laws and regulations by countries designed to
exclude American companies;
The patchwork of country and regional privacy laws and
regulations; and
The renewal of the Cooperative Agreement between the
National Telecommunications and Information Administration
(NTIA) and Verisign, which underpins the global Internet domain
name system.
Foreign Regulations
Internationally, we are seeing an increasing number of countries
adopt local laws that make it more difficult to serve our customers in
those markets. We have encountered numerous examples of regulations on
foreign Internet providers that would require us to establish a local
presence, or use local banks, or even hire a local workforce, all in
order to access that market. Some nations aggressively regulate content
and censor political or religious views. Taken together, these
regulations stand in the way of GoDaddy reaching new customers,
competing in new markets, and developing new innovative products. Laws
like these must be seen as harmful to providers and consumers alike,
and are a barrier to free trade.
There is also an increasing number of new privacy regulations, such
as the European Union's new General Data Protection Regulation
(GDPR),\1\ creating a patchwork of country and regional laws with which
companies must comply to operate globally. GDPR compliance has been a
major undertaking at GoDaddy, diverting time and engineering resources
away from customer service and product development.
---------------------------------------------------------------------------
\1\ 2018 Reform of EU Data Protection Rules, available at https://
ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-
protection/2018-reform-eu-data-protection-rules_en
---------------------------------------------------------------------------
GDPR
GDPR has touched every aspect of our industry, but notably it has
significantly disrupted the WHOIS service, which is an online directory
of contact information for domain name registrants. WHOIS is a two-
edged sword, serving as an important tool for law enforcement agencies
and other stakeholders, while also being a gold mine of personal data
for spammers. Currently, we are engaged with representatives of law
enforcement agencies and our colleagues at the Internet Corporation for
Assigned Names and Numbers (ICANN) to strike the right balance between
providing access to WHOIS data for legitimate needs, while still
protecting the private information of our customers.
Cooperative Agreement and dot-COM Contract
Most important to GoDaddy--and critical to the tens of millions of
global customers who have dot-COM domains--is the 20-year-old,
exclusive Cooperative Agreement between NTIA and Verisign.\2\ In 2016,
an economic study commissioned by ICANN found that Verisign's share of
legacy generic Top-Level Domains (gTLDs) was over 80 percent, making
them an effective monopoly in our industry.\3\
---------------------------------------------------------------------------
\2\ Verisign Cooperative Agreement, National Telecommunications and
Information Administration (October 2016), available at https://
www.ntia.doc.gov/page/verisign-cooperative-agreement.
\3\ https://www.icann.org/news/announcement-2016-10-11-en
---------------------------------------------------------------------------
The Cooperative Agreement addresses this by capping the wholesale
price of dot-COM domain names at $7.85 per year. The Cooperative
Agreement is scheduled to expire in November, and we understand that
NTIA and Verisign are currently in talks to renew and possibly amend
this agreement.
Our experience clearly shows that small businesses are very
sensitive to price increases, and that any increase has the potential
to suppress their ability to grow, deliver products and add jobs.
GoDaddy serves millions of small businesses. Granting Verisign the
ability to raise dot-COM prices would have a negative impact on our
business and our customers, but also our competitors and their
customers, which can ultimately affect overall economic growth.
We see no justification for higher dot-COM prices, and we recommend
that NTIA preserve the price caps in any renewal of the Cooperative
Agreement.
Beyond the renewal of the Cooperative Agreement, we believe our
industry and all end users would benefit from the dot-COM contract
eventually being put out for competitive bid. Granting Verisign the
exclusive right to operate the dot-COM gTLD may have been appropriate
in the early days of the Internet, but the Internet has matured over
the last 20 years. And while we have no complaints with Verisign's
performance of the contract, there are now several companies capable of
operating the dot-COM gTLD equally as well, and perhaps at lower
wholesale costs.
Conclusion
Thank you for the opportunity to testify today to discuss global
policies that impact the Internet industry and our users. We believe
the U.S. must continue to push back on protectionist policies imposed
by other countries and the growing patchwork of privacy regulations.
Further, we are hopeful the NTIA will provide more transparency,
and seek more stakeholder engagement, as part of the renewal process
for the Cooperative Agreement. In the short-term, we support extending
the dot-COM price caps in any renewed agreement. But in the long-term,
we would like NTIA to engage with ICANN and other stakeholders to
develop a strategy to put the dot-COM contract up for competitive bid.
Thank you for your time, and I look forward to your questions.
Senator Wicker. Thank you very much.
Dr. Layton.
STATEMENT OF ROSLYN LAYTON, Ph.D., VISITING SCHOLAR, AMERICAN
ENTERPRISE INSTITUTE
Dr. Layton. Thank you, Chairman Wicker, and Ranking Member
Schatz.
Chairman Wicker, thank you also for your leadership of the
Helsinki Commission on Security and Cooperation and your
defense of human rights. It reminds me how Americans from every
part of our Nation can play a role in Internet policy.
For example, Mississippi is innovating in telemedicine and
precision agriculture. As we enter the 5G era, our economy will
broaden with smart application for cities, cars, and so on.
It's not just search engines and social networks. We want to
export these new 5G platforms and services and this underscores
the importance of today's hearing.
Now our country has practiced international technology
policy for at least 230 years. Alexander Hamilton's report on
the subject of manufacturers from 1791 advocated for
modernizing the American economy to break dependence on slavery
and supersede England in manufacturing. We revere Hamilton for
his enlightened contribution on the importance of central
government. Equally, we revere Thomas Jefferson for his
championing of individual freedoms.
Our policy legacy is thus to hold the balance of the Rule
of Law with individual rights and these values should underpin
our approach to Internet governance. The United States is one-
third of the global tech economy and we should shape the
international environment with our values, but we won't have
any credibility if our policy is just about American companies
making money.
We must export a value system that legitimately empowers
and rewards other nations to participate in a free market
economy, to respect the Rule of Law and individual rights, to
limit regulatory distortion, to protect property, and to
improve quality of life. This is how we ensure that our regime
is the most fair, rationale, and humane.
Now a popular misconception is that the Global Data
Protection Regulation or GDPR protects privacy. It does not.
The GDPR is about data regulation, specifically, 173 rules on
data regulation.
Now Europe is the destination of two-thirds of America's
digital goods and services and U.S. companies are now suffering
because of its cost and complexity. Now I live in Copenhagen,
so I can experience this. I can no longer look at the
newspapers, such as the L.A. Times, the Chicago Tribune, the
New York Daily News, the Hartford Courant, or Atlanta Sentinel
and Baltimore Sun.
Additionally, 60 additional newspapers in Illinois,
Indiana, Minnesota, Missouri, Montana, Nebraska, Nevada,
Washington, and Wisconsin are not available. This reduction in
content has reduced visibility for U.S. advertisers and has
shut them out of independent ad exchanges.
Retailers Williams and Sonoma and Pottery Barn no longer
sell in the EU. Game companies from Washington State have shut
down their online communities. A Nevada provider of online IT
services no longer takes European customers. A mobile marketing
platform company with six offices in the United States has
closed its EU operation, and even the website of the
Association of National Advertisers is not available.
Now if we adopted such a measure in the United States, it
would likely violate our freedom of speech as the government
requirements are so onerous that they reduce expression.
Indeed, California's GDPR-inspired legislation should be
preempted federally for this very reason, and the EU Parliament
is using the GDPR as a pretext to torpedo our faithfully
negotiated Privacy Shield Agreement.
These actions violate international law and we need to
challenge them in court.
Now the GDPR is a global standard tool. The EU tried this
before with the 3G GSM and Mobile Standard hoping that we would
get on their platform. We didn't copy them but we leapfrogged
to 4G LTE. Now we need the same strategy with the GDPR, not to
copy but to make a better and different alternative for data
protection, and we can do that by meaningfully empowering
consumers through digital competence education and
incentivizing privacy-enhancing technologies.
I want to applaud Senator Klobuchar for her leadership on
the proposed bill.
In closing, we must walk the talk. For a rationale,
predictable, and consistent framework abroad, we need to start
at home. Therefore, the right policy should be a consistent
framework with same rules for all players, grounded in modern
evidence-based standards of antitrust delivered by the Federal
Trade Commission. This also requires addressing the regulatory
prejudice that has deterred flexible pricing and innovation in
business models and platforms.
For example, the cooperative agreement between Verisign and
U.S. Department of Commerce oddly caps the wholesale price of
dot com domains but allows arbitrage in the secondary market.
Now just as Jefferson had secured the Mediterranean Sea
lanes for free trade in the 19th Century, we have to secure the
information lanes for the free flow of data today, and this is
now our leadership challenge.
[The prepared statement of Dr. Layton follows:]
Prepayed Statement of Roslyn Layton, Ph.D., Visiting Scholar,
American Enterprise Institute
Thank you Chairman Wicker, Ranking Member Schatz, and members the
Committee for the opportunity to testify. Chairman Wicker, you are
understandably informed of international security and policy issues as
chairman of the Helsinki Commission on Security and Cooperation in
Europe. Thank you for leadership and commitment to ensure security and
defend human rights and freedoms in that role.\1\ It reminds me why
Mississippi is important to the digital future, just like Manhattan.
Mississippi with its population of 3 million has an economy as large as
the Nation of Ecuador, which has five times the population.\2\
Mississippi is innovating in digital technology with telemedicine \3\
and precision farming.\4\ While we think about digital communications
today as search engines, social networks, ecoomerce, and digital
content, as we enter the 5G era, our digital economy will be broadened
with smart applications and platforms for health, homes, cities, grids,
cars, and infrastructure. We should expect to export these 5G platforms
and services. This underscores the importance of today's hearing in
getting the policy right. It also demonstrates that every American can
benefit and participate in the Internet economy and that all Americans
have a stake in Internet policy.
---------------------------------------------------------------------------
\1\ Commission on Security and Cooperation in Europe, ``Senator
Roger F. Wicker,'' https://www.csce.gov/senator-roger-f-wicker.
\2\ Mark J. Perry, ``Putting America's Enormous $19.4T Economy into
Perspective by Comparing U.S. State GDPs to Entire Countries,'' May 8,
2018, http://www.aei.org/publication/putting-americas-enormous-19-4t-
economy-into-perspective-by-comparing-us-state-gdps-to-entire-
countries/.
\3\ Morgan Reed, ``The Connected Health Initiative Applauds the
FCC's New `Connected Care Pilot Program,' '' ConnectedHealth, July 11,
2018, https://www.connectedhi.com/blog/2018/7/11/the-connected-health-
initiative-applauds-the-fccs-new-connected-care-pilot-program.
\4\ Office of Roger Wicker, ``Wicker Leaders New Legislation on
Precision Agriculture,'' press release, January 29, 2018, https://
www.wicker.senate.gov/public/index.cfm/weekly-report?ID=
60B6C27C-72F6-4147-9F27-A24DA2E5B86A.
---------------------------------------------------------------------------
The economics of the Internet allow for the participation of many
players. With the evolution to 5G, the next generation mobile standard,
and the Internet of Things, this will only increase. Existing
businesses will converge, and new ones will emerge. Consider how
quickly the U.S. reaped the gains from 4G mobile wireless networks and
its associated technologies, apps, and services. Some $100 billion was
added annually to the Nation's GDP.\5\ The windfall from 5G is
projected to be even greater: The rollout of a 5G network should is
expected to deliver 3 million new jobs and contribute $1.2 trillion to
the U.S. economy.\6\
---------------------------------------------------------------------------
\5\ CTIA, ``How America's 4G Leadership Propelled the U.S.
Economy,'' April 16, 2018, https://www.ctia.org/news/how-americas-4g-
leadership-propelled-the-u-s-economy.
\6\ CTIA, ``Global Race to 5G--Spectrum and Infrastructure Plans
and Priorities,'' April 2018, https://api.ctia.org/wp-content/uploads/
2018/04/Analysys-Mason-Global-Race-To-5G_2018.pdf.
---------------------------------------------------------------------------
Our country has engaged the question of international technology
policy for at least 230 years. Alexander Hamilton's Report on the
Subject of Manufactures in 1791 advocated for modernizing the American
economy to break dependency on slavery and supersede England in
manufacturing.\7\ We revere Hamilton for his many contributions, which
exemplify the importance of a central government. Equally we revere
Thomas Jefferson, the exponent of individual freedoms and limited
government.\8\ As such, the legacy of our policy has been an attempt to
balance the necessary role of a central government with the sovereignty
of the individual. We maintain that balance through the rule of law and
enumerated individual rights. These are values that underpin our
approach to international Internet governance.
---------------------------------------------------------------------------
\7\ Founders Online, ``Introductory Note: Report on Manufactures,''
accessed May 29, 2018, http://founders.archives.gov/documents/Hamilton/
01-10-02-0001-0001.
\8\ Jules Witcover, Party of the People: A History of the
Democrats'' (Random House, November 4, 2003).
---------------------------------------------------------------------------
The U.S. tech economy was $1.6 trillion in 2018, 9.2 percent of
gross domestic product (GDP). The numbers are even more staggering from
an equities perspective; the American tech industry accounts for a
quarter of the value of the U.S. stock market, some $34 trillion.\9\
There are half a million tech companies in the U.S. with 34,000 new
startups in 2017 alone.\10\ Globally, the tech industry topped $4.5
trillion in revenue in 2017 and is expected to reach $4.8 trillion in
2018.\11\ The U.S. is the single-largest tech market in the world and
accounts for 31 percent of the global tech market.\12\
---------------------------------------------------------------------------
\9\ Nasdaq, ``Technology Companies,''
\10\ Cyberstates, ``Data Appendix,'' https://www.cyberstates.org/.
\11\ CompTIA, ``IT Industry Outlook 2018,'' https://
www.comptia.org/resources/it-industry-trends-analysis.
\12\ CompTIA, ``IT Industry Outlook 2018.''
---------------------------------------------------------------------------
As such, it is in the national interest to shape the international
environment by projecting power and securing economic, political, and
strategic goods. But the U.S. won't have any credibility if its
international Internet policy is just about American companies making
money. The U.S. must also export a value system that legitimately
empowers and rewards other nations to participate in a free-market
Internet economy, respects the rule of law and individual rights,
limits regulatory distortion and abuse, protects property, and delivers
measurable improvements in quality of life. This is how we ensure that
our regime is most fair, rational, and humane for global Internet
governance.
Today, I will describe some geopolitical and protectionist efforts
proffered by foreign governments as consumer protection, notably the
General Data Protection Regulation (GDPR), lax enforcement of
intellectual property, and data localization. I will discuss a range of
solutions for the committee to consider.
General Data Protection Regulation (GDPR)
In addition to my role at the American Enterprise Institute, I am
Visiting Research at the Center for Communication, Media and
Information Technologies at Aalborg University in Copenhagen, Denmark.
We run a multidisciplinary research and education program looking at
the impact of technology in society from engineering, economic, legal,
and social perspectives. The GDPR is one of our areas of focus, and I
follow it closely.\13\
---------------------------------------------------------------------------
\13\ European Commission, ``Data Protection: Rules for the
Protection of Personal Data Inside and Outside the EU,'' http://
ec.europa.eu/justice/data-protection/reform/files/regulation_oj
_en.pdf.
---------------------------------------------------------------------------
Europe is the destination for two-thirds of America's digital
exports,\14\ so naturally we should be concerned when it adopts
draconian, misguided regulation. Moreover, the region has fallen
precipitously behind on network investment \15\ by E150.\16\ The 2020
connectivity goals have been pushed out to 2025. Whereas 20 percent of
Americans, some 25 million households, have already adopted some kind
of pre-5G product or service (e.g., Google Home or Amazon Alexia),
Europeans have yet to make this cultural and technological shift.\17\
It makes sense that we should broaden and diversify the market for our
digital goods and services, as EU, if it continued down the current
path, will be increasingly incompatible. At the same point, there is
not a ready market to replace the EU; China wants indigenous
technology. So we need to pursue a strategy that helps the EU and the
rest of the world modernize as well as to open China's market. It is
becoming increasingly difficult for Brussels to maintain the narrative
that its 20-year attempt to regulate its way to growth and
competitiveness is working. More Europeans want prosperity than
protectionism.
---------------------------------------------------------------------------
\14\ United States International Trade Council. Digital Trade in
the U.S. and Global Economies, Part 1. 2013 http://www.usitc.gov/
publications/332/pub4415.pdf
\15\ Roslyn Layton, ``The EU's Broadband Challenge.'' American
Enterprise Institute. February 19, 2014. http://www.aei.org/
publication/the-european-unions-broadband-challenge/
\16\ European Investment Bank. ``Restoring EU Competitiveness.''
2016 http://www.eib.org/attachments/efs/
restoring_eu_competitiveness_en.pdf
\17\ Strand Consult. ``American consumers are already buying 5G
products and services while the EU falls further behind on networks and
innovation.'' Spring 2018. http://www.strand
reports.com/sw8027.asp
---------------------------------------------------------------------------
A popular misconception about the GDPR is that it protects privacy;
it does not. The GDPR is about data protection or more correctly, data
governance.\18\ The word ``privacy'' appears infrequently in the GDPR,
only to refer to ``Privacy by Design'' (Article 25), ``Privacy Impact
Assessment'' (Article 35), the ePrivacy Directive, and the Privacy
Shield regime. Data protection is a technical issue whereas data
privacy is a legal one.\19\
---------------------------------------------------------------------------
\18\ What Is the GDPR?, Evidon (last visited Aug. 25, 2017),
https://www.evidon.com/education-portal/videos/what-is-the-gdpr/.
\19\ David Robinson, Data Privacy vs. Data Protection, IPSwitch
(Jan. 29, 2918), https://blog.ipswitch.com/data-privacy-vs-data-
protection.
---------------------------------------------------------------------------
Harms to consumers, American firms, and competition
Before entering academe, I had a career in digital marketing in
Silicon Valley, where I worked with some 2000 American retailers and
other online companies. In 2010, I was recruited to the European Union
(EU) because of my analytics-based online marketing skills. Meanwhile
Brussels began a systematic campaign to dumb down the online experience
under the guise of ``protecting'' consumers. The ePrivacy Directive
\20\ or so-called ``cookie law'' launched in 2011, costs EU businesses
$2.3 billion annually with no relatable benefit.\21\ It is widely
recognized as a regulatory failure,\22\ detrimental to commerce, and,
indeed, counterproductive to privacy and data protection.\23\
---------------------------------------------------------------------------
\20\ EUR-Lex, ``Directive 2002/58/EC of the European Parliament and
of the Council of 12 July 2002 Concerning the Processing of Personal
Data and the Protection of Privacy in the Electronic Communications
Sector (Directive on Privacy and Electronic Communications),'' July 31,
2002, http://eur-lex.europa.eu/LexUriServ/
LexUriServ.do?uri=CELEX:32002L0058:EN:HTML,
\21\ Daniel Castro and Alan McQuinn, ``The Economic Cost of the
European Union's Cookie Notification Policy,'' Information Technology
and Innovation Foundation, November 6, 2014, https://itif.org/
publications/2014/11/06/economic-cost-european-unions-cookie-
notification-policy.
\22\ Graham Charlton, ``The EU 'cookie law': what has it done for
us?'' Econsultancy. August 27, 2014 https://econsultancy.com/blog/
65366-the-eu-cookie-law-what-has-it-done-for-us
\23\ W. Gregory Voss, ``First the GDPR, Now the Proposed ePrivacy
Regulation,'' Journal of Internet Law 21, no. 1 (July 25, 2017): 3-11,
https://ssrn.com/abstract=3008765.
---------------------------------------------------------------------------
The EU continued promulgating punitive regulation without
performing regulatory impact analyses of the policies, and ignoring, if
not rejecting, the mounting empirical evidence that its approach does
not fulfill the policy goals it promises.\24\ \25\ \26\ \27\ \28\
Indeed, when implementing the GDPR, the EU ignored the advice of its
official research institute on how to create trust in the online
environment,\29\ notably the importance of consumer education and
innovation in privacy-enhancing technologies.\30\ After a decade of
GDPR-type regulations across EU, consumers report only a marginal
increase in trust online. As of 2017 only 22 percent of Europeans shop
outside their own country (a paltry increase of 10 percent in a
decade), suggesting that the European Commission's Digital Single
Market goals are still elusive.\31\ Moreover, only 20 percent of EU
companies are highly digitized.\32\ These are primarily large firms.
Small to medium sized companies invest little to modernize their
business and market to other EU countries.
---------------------------------------------------------------------------
\24\ James Hayes,`` `Cookie Law': A Hostage to Fortune?,''
Engineering & Technology 7, no.8 (2012): 66-69.
\25\ Elizabeth Aguirre et al., ``Unraveling the Personalization
Paradox: The Effect of Information Collection and Trust-Building
Strategies on Online Advertisement Effectiveness'' Journal of Retailing
91, no. 1 (2015): 34-49.
\26\ Ronald Leenes and Eleni Kosta, ``Taming the Cookie Monster
with Dutch Law--a Tale of Regulatory Failure,'' Computer Law & Security
Review 31, no. 3 (2015): 317-35.
\27\ Christina Markou, ``Behavioural Advertising and the New `EU
Cookie Law' as a Victim of Business Resistance and a Lack of Official
Determination'' in Data Protection on the Move (Springer Netherlands,
2016), 213-47.
\28\ Alan McQuinn and Daniel Castro. ``Why Stronger Privacy
Regulations Do Not Spur Increased Internet Use.'' ITIF. July 11, 2018
https://itif.org/publications/2018/07/11/why-stronger-privacy-
regulations-do-not-spur-increased-internet-
use?mc_cid=6ef5636fad&mc_eid=ff7c0376f1
\29\ Layton, Roslyn, How the GDPR Compares to Best Practices for
Privacy, Accountability and Trust (March 31, 2017). https://ssrn.com/
abstract=2944358
\30\ European Union Agency for Network and Information Security.
``Privacy, Accountability and Trust-Challenges and Opportunities.''
February 18, 2011. https://www.enisa.europa.eu/publications/pat-study
\31\ European Commission Report. ``Use of Internet Services'',
2018. http://ec.europa.eu/information_society/newsroom/image/document/
2018-20/3_desi_report_use_of_internet_services_18E
82700-A071-AF2B-16420BCE813AF9F0_52241.pdf
\32\ European Commission Report. ``Integration of Digital
Technology''. 2018. http://ec.euro
pa.eu/information_society/newsroom/image/document/2018-20/
4_desi_report_integration_of_
digital_technology_B61BEB6B-F21D-9DD7-72F1FAA836E36515_52243.pdf
---------------------------------------------------------------------------
There is extensive evidence that shows that a flexible, innovation-
based approach yields software and systems that are better designed to
protect data and privacy and that empower enterprises to operate with
data protection as a competitive parameter.\33\ The International
Association of Privacy Professionals' survey of privacy practices of
800 enterprises around the world found that traditionally less
regulated industries have more advanced privacy practices than highly
regulated industries, which conform only to regulatory
requirements.\34\ Nevertheless the EU has continued its misguided
approach with the GDPR, promulgating 17 invented rights, 35 new
responsibilities for bureaucrats, and 45 specific regulations for
enterprises.
---------------------------------------------------------------------------
\33\ Kenneth A. Bamberger and Deirdre K. Mulligan, Privacy on the
Ground: Driving Corporate Behavior in the United States and Europe
(2015).
\34\ IAPP-EY Annual Privacy Governance Report 2015, IAPP (2015),
https://iapp.org/resources/article/iapp-ey-annual-privacy-governance-
report-2015-2/.
---------------------------------------------------------------------------
Following is a snapshot of the American media, retailers, software,
and other companies that are no longer accessible in the EU since May
25, when the GDPR went into effect. This is by no means a comprehensive
review. Notably people experienced their personal inboxes being flooded
with GDPR compliance e-mails or consent requests attempt to comply with
the GDPR, but apparently many of these communications are illegal under
the GDPR.\35\
---------------------------------------------------------------------------
\35\ Alex Hern, Most GDPR E-mails Unnecessary and Some Illegal, Say
Experts, The Guardian (May 21, 2018), https://www.theguardian.com/
technology/2018/may/21/gdpr-e-mails-mostly-unnecessary-and-in-some-
cases-illegal-say-experts.
---------------------------------------------------------------------------
There is no access to Tronc Media, whose flagships newspapers
include the Los Angeles Times, Chicago Tribune, New York Daily News,
Hartford Courant (America's longest running newspaper since 1764),
Orlando Sentinel, and the Baltimore Sun.\36\ Access is not available to
more than 60 newspapers of Lee Enterprises covering news across 20
states including Illinois, Indiana, Minnesota, Missouri, Montana,
Nebraska, Nevada, Washington, and Wisconsin.\37\
---------------------------------------------------------------------------
\36\ Alanna Petroff. CNN Money. ``LA Times takes down website in
Europe as privacy rules bite.'' May 25, 2018. https://money.cnn.com/
2018/05/25/media/gdpr-news-websites-la-times-tronc/index.html
\37\ Roslyn Layton (@Roslyn Layton), ``Alas, from the EU I can't
read @CapTimes and 60 other newspapers across 20 stats in the Lee
Enterprises group because of the #GDPR. Freedom and First Amendment
R.I.P.,'' July 26, 2018, 9:47 a.m., https://twitter.com/RoslynLayton/
status/1022508758252113920.
---------------------------------------------------------------------------
Blocked media is not only a problem for the one million Americans
who live in the EU and can no longer read news and information about
their hometowns, but for Europeans who wish to learn more about the
U.S. from direct sources rather than the state-owned media, which
dominate the press and broadcasting in most EU countries. To access the
internet, Europeans must pay a government media license fee on top of
their broadband subscription. The penalty for failing to pay is
imprisonment.\38\
---------------------------------------------------------------------------
\38\ Roslyn Layton and Michael Horney, ``Innovation, Investment,
and Competition in Broadband and the Impact on America's Digital
Economy,'' Mercatus Center, August 12, 2014, 10, https://
www.mercatus.org/publication/innovation-investment-and-competition-
broadband-and-impact-america-s-digital-economy.
---------------------------------------------------------------------------
It is not just the American media oulets which are down but their
advertisers. Given the scope of Google's advertising platform and its
affiliates on syndicated networks, its compliance to the GDPR has
caused ripple effects in ancillary markets. Independent ad changes
noted prices plummeting 20 to 40 percent.\39\ Some advertisers report
being shut out from exchanges.\40\ The GDPR's complex and arcane
designations for ``controllers'' and ``processors'' can ensnare third
party chip makers, component suppliers, and software vendors which have
never interfaced with end users, as European courts have ruled that any
part of the ecosystem could be liable for data breaches.\41\
---------------------------------------------------------------------------
\39\ Jessica Davies, `The Google Data Protection Regulation': GDPR
is Strafing Ad Sellers, Digiday (June 4, 2018), https://digiday.com/
media/google-data-protection-regulation-gdpr-stra
fing-ad-sellers/.
\40\ Catherine Armitage. World Federation of Advertisers. July 10,
2018. https://www.wfanet
.org/news-centre/life-after-gdpr-what-next-for-the-advertising-
industry/
\41\ https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/
?uri=CELEX:62016CJ0210&qid
=1531145885864&from=EN
---------------------------------------------------------------------------
Many American retailers, game companies, and service providers no
longer sell in the EU. The websites of Williams-Sonoma and Pottery Barn
are dark.\42\ The online experience of scores of other American
retailers is now polluted with pop-ups and disclosures, prompting many
customers to click away. Verve, a leading mobile marketing platform
with offices in 6 U.S. cities, closed its European operation in advance
of GDPR, impacting 15 EU employees.\43\ Valve, an award-winning video
game maker company in Bellevue, Washington, shut down an entire game
community rather than invest in GDPR compliance,\44\ similalry for Uber
Entertainment in nearby Kirkland, WA, which shut down one of its most
popular games entirely after a 6 year run because upgrading the
platform to GDPR was too expensive.\45\ California-based Gravity
Interactive no longer offers games in the EU and refunded its European
customers.\46\ The Las Vegas-based Brent Ozar Unlimited offering a
range of information technology and software support services stopped
serving the EU.\47\ Even the website of the Association of National
Advertisers is not available.\48\
---------------------------------------------------------------------------
\42\ Roslyn Layton (@Roslyn Layton), ``More #GDPR casualties.
@WilliamsSonoma group no longer selling in EU including @potterybarn
@PotteryBarnKids @potterybarnteen etc. I can't even access recipes.
@caprivacyorg do you really want to shut down this great SF company
with your misguided approach?,'' July 9, 2018, 3:10 a.m., https://
twitter.com/RoslynLayton/status/1016248093547945984.
\43\ Ronan Shields. ``Verve to focus on U.S. growth as it plans
closure of European offices ahead of GDPR.'' April 18, 2018. https://
www.thedrum.com/news/2018/04/18/verve-focus-us-growth-it-plans-closure-
european-offices-ahead-gdpr
\44\ Steam, ``Super Monday Night Combat,'' https://
steamcommunity.com/app/104700/all
news/.
\45\ Owen Good. ``Super Monday Night Combat will close down, citing
EU's new digital privacy law.'' Polygon. April 28, 2018. https://
www.polygon.com/2018/4/28/17295498/super-monday-night-combat-shutting-
down-gdpr
\46\ Warportal, ``Important Notice Regarding European Region
Access,'' http://blog.warp
portal.com/?p=10892.
\47\ Brent Ozar, ``GDPR: Why We Stopped Selling Stuff to Europe,''
December 18, 2017, https://www.brentozar.com/archive/2017/12/gdpr-
stopped-selling-stuff-europe/.
\48\ Roslyn Layton (@Roslyn Layton), ``Blocked again by #GDPR.
Thanks a lot @JanAlbrecht @EU_EDPS. Who needs to use the Internet to
read blogs and get information anyway? Government censorship parading
as privacy and data protection. Sorry @ANAGovRel,'' June 7, 2018, 4:30
a.m., https://twitter.com/RoslynLayton/status/1004671815426478081.
---------------------------------------------------------------------------
If we adopted such a measure in the US, it would likely violate the
freedom of speech, as the government requirements are so onerous that
they limit expression. As such, we should be weary of California's
privacy effort, which bills itself as an American version of the
GDPR.\49\ Indeed the GDPR's asserted jurisidiction outside the EU may
be illegal.\50\
---------------------------------------------------------------------------
\49\ Roslyn Layton, ``Privacy Regulation Insanity: Making the Same
Rules and Expecting a Different Outcome,'' AEIdeas, June 21, 2018,
http://www.aei.org/publication/privacy-regulation-insanity-making-the-
same-rules-and-expecting-a-different-outcome/.
\50\ Kurt Wimmer. Free Expression and Privacy: Can New European
Laws Reach U.S. Publishers? Media Institute. November 9, 2017 https://
www.mediainstitute.org/2017/11/09/free-expression-and-privacy-can-new-
european-laws-reach-u-s-publishers/
---------------------------------------------------------------------------
To comply with the GDPR, firms of 500 employees or more will likley
have to spend between $1 and $10 million.\51\ With over 19,000 \52\
U.S. firms of this size, total GDPR compliance costs for this group
could reach $150 billion, twice the U.S. spend on network investment
\53\ or one-third of the annual ecommerce revenue in the USA.\54\ Hosuk
Lee-Makiyama calculates that the GDPR's requirements on cross-border
trade flows will increase prices, amounting to a direct welfare loss of
E260 per European citizen.\55\ The net effect is that those companies
that can afford to will comply; the rest will exit. Hence the GDPR
becomes a barrier to market entry, punishing small firms, rewarding the
largest players, and enuring regulators into a codependent relationship
with the firms they regulate. This is a perverse outcome for a
regulation promised to level the playing field on data protection.
---------------------------------------------------------------------------
\51\ PricewaterhouseCoopers, ``GDPR Compliance Top Data Protection
Priority for 92 percent of U.S. Organizations in 2017, According to PwC
Survey,'' January 23, 2017, https://www
.pwc.com/us/en/press-releases/2017/pwc-gdpr-compliance-press-
release.html.
\52\ U.S. Census Bureau, ``2015 SUSB Annual Data Tables by
Establishment Industry,'' January 2018, https://www.pwc.com/us/en/
press-releases/2017/pwc-gdpr-compliance-press-release.html.
\53\ Jonathan Spalter, ``Broadband CapEx Investment Looking Up in
2017,'' USTelecom, July 25, 2018, https://www.ustelecom.org/blog/
broadband-capex-investment-looking-2017.
\54\ US Census Bureau, ``Quarterly Retail E-Commerce Sales 1st
Quarter 2018,'' May 17, 2018, https://www.census.gov/retail/mrts/www/
data/pdf/ec_current.pdf.
\55\ Lee-Makiyama, Hosuk, ``The Political Economy of Data: EU
Privacy Regulation and the International Redistribution of Its Costs,''
in Protection of Information and the Right to Privacy-A New
Equilibrium? (Springer International Publishing, 2014), 85-94. This
methodology is expanded in Erik Van der Marel et al., ``A Methodology
to Estimate the Costs of Data Regulations,'' International Economics
146 (2016): 12-39.
---------------------------------------------------------------------------
Moreover, the GDPR is fundamentally incompatible with Big Data,
artificial intelligence, and machine learning with its specific
regulation for purpose specification, data minimization, automated
decisions and special categories.\56\ Some of the most important
scientific advances have been the result of processing disparate sets
of information in inventive ways, ways that neither subjects nor
controllers anticipated, let alone requested. Consider the definitive
study on whether the use of mobile phones causes brain cancer.\57\ The
Danish Cancer Society analyzed the entire population of Denmark born
since 1925 by processing social security numbers, mobile phone numbers,
and the National Cancer Registry which records every incidence of
cancer by social security number. The study is the most comprehensive
investigation proving that the use of mobile phones is not correlated
with brain cancer.
---------------------------------------------------------------------------
\56\ Tal Z. Zarsky, ``Incompatible: The GDPR in the Age of Big
Data,'' Seton Hall Law Review 47, no. 4 (2017): 2.
\57\ Use of mobile phones and risk of brain tumours: update of
Danish cohort study. BMJ 2011; 343 doi: https://doi.org/10.1136/
bmj.d6387 (Published 20 October 2011)
---------------------------------------------------------------------------
Security concerns have also emerged. As AEI's Internet governance
expert Shane Tews declares, ``The right to be forgotten is pitted
against the right to be informed.'' \58\ A key example is WHOIS, the
query and response protocol use to identify those who register domain
names is threatened to be masked under the GDPR. Law enforcement,
cybersecurity professionals and researchers, and trademark and
intellectual property rights holders have a vital interest in the
transparency of WHOIS.\59\ ``The publicly available data that is used
to inform threat intelligence networks, find bad actors, and block them
from accessing networks will no longer be available under the GDPR,''
she warns.\60\ The situation harkens back to a key fallacy of so-called
privacy activists who attempted to block the rollout of caller ID
because it violated the privacy rights of intrusive callers.\61\ Today
we agree that the receivers right to know who is calling is prioritized
over the caller.
---------------------------------------------------------------------------
\58\ Shane Tews, ``Privacy and Europe's data protection law:
Problems and implications for the US''. AEI.org May 8, 2018. http://
www.aei.org/publication/privacy-and-europes-data-protection-law-
problems-and-implications-for-the-us/
\59\ Shane Tews. ''How European data protection law is upending the
Domain Name System.'' American Enterprise Institute. February 26, 2018.
https://www.aei.org/publication/how-european-data-protection-law-is-
upending-the-domain-name-system/
\60\ Supra Tews May 2018
\61\ See Justin ``Gus'' Hurwitz and Jamil N. Jaffer, ``Modern
Privacy Advocacy: An Approach at War with Privacy Itself?, Regulatory
Transparency Project of the Federalist Society,'' June 12, 2018,
https://regproject.org/paper/modern-privacy-advocacy-approach-war-
privacy/.
---------------------------------------------------------------------------
Global jurisdiction, selective enforcement
In a press conference about the GDPR,\62\ Jan Phillip Albrecht,\63\
Green Party parliamentarian and ``father of the GDPR,'' assured that
GDPR investigations would not focus on small to medium enterprises but
instead ``will concentrate on the bigger ones that pose a threat to
many consumers.'' He noted that firms ``already for quite a time now
are under suspicion of not complying with European data protection
rules'' and that they ``have been on their screen for years [and] will
be the first to be looked at.'' He indicated that it could be two years
before cases are resolved given the process for investigation,
adjudication, and appeal. Industry observers suggest that U.S. data
brokers (e.g., Axciom, Datalogix, and Equifax) will also be targeted,
as well as the auto, pharma, and health care industries.\64\
---------------------------------------------------------------------------
\62\ European Parliament, Press Conference by Jan Philipp Albrecht,
last visited June 24, 2018, https://multimedia.europarl.europa.eu/en/
albrecht-general-data-protection-regulation_I155149-A_ra.
\63\ Jan Philipp Albrecht, Auf zu neuen Ufern: Minister fur
Digitales und Draußen, (Mar. 3, 2018), https://
www.janalbrecht.eu/2018/03/auf-zu-neuen-ufern/ (Albrecht noted that he
will not run for reelection in the European Parliament in 2018 but take
a position as Minister of Digital and Outdoors in the German province
of Schleswig-Holstein where he hopes to shape climate and agricultural
policy and EU relations).
\64\ Laurens Cerulus and Mark Scott, ``Who Stands to Lose the Most
from Europe's New Privacy Rules,'' Politico, May 23, 2018, https://
www.politico.eu/article/the-gdpr-hit-list-who-stands-to-lose-from-
europes-new-privacy-rules-facebook-google-data-protection/.
---------------------------------------------------------------------------
If smaller companies are trying in good faith to comply with the
GDPR, it would be disproportionate to sanction them, Albrecht said,
noting that data protection authorities (DPAs) would more likely assist
them to become compliant. While the GDPR automatically supersedes
national law, only 4 of the 28-member states (Austria, Germany,
Slovakia, and Sweden) have completed the formal process to update their
local laws to align with the GDPR. If one country rules in a case in
its own court, it can be overruled by a majority of the EU nations.
Albrecht argues that enforcement should prioritize the companies
that have been on regulators' radar. But if the regulators already know
which companies are causing problems, why require every data processor
that serves Europeans to comply with preventative regulations? It could
be part of a ``make-work'' strategy to keep Europe's 62 privacy and
data protection authorities in business and create jobs for some 75,000
privacy professionals \65\ as data protection officers in firms--
another GDPR requirement.
---------------------------------------------------------------------------
\65\ Rita Heimes and Sam Pfeifle, Study: GDPR's Global Reach to
Require at Least 75,000 DPO's Worldwide, Int'l Assoc. of Privacy
Professionals, https://iapp.org/news/a/study-gdprs-global-reach-to-
require-at-least-75000-dpos-worldwide/.
---------------------------------------------------------------------------
Interestingly, Albrecht defends selective enforcement. While the
GDPR's stated goal is to make a common standard for every firm, the
real goal is to discipline large American firms. This is enabled by the
GDPR's enumerated rights of representation, judicial remedy, and
compensation, all of which form the basis for regulation by class
action. Activists are encouraged to create nonprofit organizations,\66\
lodge complaints,\67\ and collect damages on behalf of users.\68\
Importantly, GDPR complaints cover not just actual injury or harm--
which would be required for a class action in U.S. Federal court--but
failure to comply with regulation, even if no harm results. While class
actions can offer consumers a convenient, effective remedy for harm,
violation, and noncompliance, they can also be abused by unscrupulous
lawyers and activists seeking to bypass democratic policymaking
procedures.\69\ By legitimizing regulation by class action in the GDPR,
the EU creates an incentive for legal abuse. Historically, Europe has
largely eschewed ``US-style'' class actions, noting that they
disproportionately reward lawyers over consumers.\70\ However, policy
entrepreneurs have engineered the GDPR so that privacy activists can
bring cases without overcoming legal barriers of standing and
jurisdiction--safeguards that help preclude the abuse of the legal
system for private gain.
---------------------------------------------------------------------------
\66\ ``The Right of Data Subjects to Mandate a Not-for-Profit Body,
Organisation, or Association,'' GDPR Recital 142.
\67\ ``The Right of Data Subjects to Mandate a Not-for-Profit Body,
Organisation, or Association,'' GDPR Recital 141.
\68\ ``The Right of Data Subjects to Mandate a Not-for-Profit Body,
Organisation, or Association,'' GDPR Recital 143.
\69\ Martin H. Redish, Wholesale Justice: Constitutional Democracy
and the Problem of the Modern Class Action, Northwestern University,
2009.
\70\ Redish, Wholesale Justice, 32.
---------------------------------------------------------------------------
Notably Albrecht, European Commission representative Paul Nemitz,
and American nonprofit Electronic Privacy Information Center (EPIC) all
sit on the board of None of Your Business,\71\ a nonprofit founded
under the auspices of the GDPR by Austrian privacy activist Max Schrems
to bring complaints against American firms. Just seven hours after the
GDPR came into effect, it filed complaints against Google and Facebook
demanding $8.8 billion in damages.\72\
---------------------------------------------------------------------------
\71\ Noyb, ``Executive Board,'' https://noyb.eu/team.
\72\ Layton, ``Privacy Regulation Insanity.''
---------------------------------------------------------------------------
Schrems' 2013 lawsuit against Facebook single-handedly torpedoed
the 15 year old, transatlantic Safe Harbor agreement that processed the
data of 4,400 firms, some $250 billion annually.\73\ Indeed Schrems'
lawsuits are referenced in the brinkmanship of European Parliament, a
resolution to end the faithfully negotiated Privacy Shield by September
1, 2018 if the U.S. does not submit to its demands.\74\ Many privacy
activists are fueled by post-Snowden animus for the U.S. Government and
could organize a GDPR complaint against a U.S. Federal agency with data
from European subjects. We already see the automation of complaints--
using technology to spam data protection authorities and firms with
thousands, if not millions, of complaints at once.\75\ Indeed
government agencies may be the some of the most vulnerable entities
under the GDPR.
---------------------------------------------------------------------------
\73\ Roslyn Layton, ``Europe's Protectionist Privacy Advocates,''
Wall Street Journal, March 9, 2016, https://www.wsj.com/articles/
europes-protectionist-privacy-advocates-1457566423.
\74\ European Parliament, ``Motion for a Resolution,'' June 26,
2018, http://www.europarl
.europa.eu/sides/getDoc.do?type=MOTION&reference=B8-2018-
0305&language=EN.
\75\ Privateidentitycontrol.com, ``Retrieve the Right to Your Own
Identity. Simple and Smooth!,'' https://
www.privateidentitycontrol.com/.
---------------------------------------------------------------------------
In addition to these concerns, there are legal and administrative
issues. The GDPR assumes that regulatory authorities have more
information than consumers and firms and therefore know better how to
order transactions in the marketplace.\76\ All the same, the GDPR
imposes massive new responsibility on regulators without a concurrent
increase in training or funding.\77\ EU data supervisors must wear many
hats, including ``ombudsman, auditor, consultant, educator, policy
adviser, negotiator, and enforcer.'' \78\ Furthermore, the GDPR widens
the gap between the high expectations for data protection and the low
level of skills possessed by data supervisors charged with its
implementation.\79\ There are certainly many talented individuals among
these ranks, but the mastery of information communication technologies
varies considerably among these professionals, especially as each
nation's data protection authority is constituted differently.
---------------------------------------------------------------------------
\76\ See generally F.A. Hayek, Economics and Knowledge (1937); F.A.
Hayek, The Use of Knowledge in Society (1945).
\77\ Douglas Busvine, Julia Firoretti, and Mathieu Rosemain,
``European Regulators: We're Not Ready for New Privacy Law,'' Reuters,
May 8, 2018, https://www.reuters.com/article/us-europe-privacy-
analysis/european-regulators-were-not-ready-for-new-privacy-law-
idUSKBN1I915X.
\78\ Colin J. Bennett and Charles Raab, The Governance of Privacy:
Policy Instruments in Global Perspective (2006).
\79\ Charles D. Raab and Ivan Szekely, Data Protection Authorities
and Information Technology, Computer L. & Sec. Rev. (forthcoming),
https://ssrn.com/abstract=2994898.
---------------------------------------------------------------------------
While the GDPR's purported goal is to ensure ``fundamental
rights,'' relatively few European users are aware of it. A UK survey
found that 34 percent of respondents recognized the law, and even fewer
knew what it covered.\80\ Europeans' dissatisfaction with the EU is
well documented.\81\ Indeed, voter turnout in European Parliament
elections dwindled from 62 percent in 1979 to just 42 percent in
2014.\82\ This environment is conducive for the collective action \83\
of organized special interests to win over the diffuse majority.
Essentially privacy advocates have effectively forced citizens' consent
to heavy-handed data regulation in spite of public opinion,\84\ which
seems to favor a more nuanced approach to privacy and data protection
over the sledgehammer of the GDPR.
---------------------------------------------------------------------------
\80\ Kirsty Cooke, ``Kantar--Data Shows Awareness of GDPR Is Low
amongst Consumers,'' March 27, 2018, https://uk.kantar.com/public-
opinion/policy/2018/data-shows-awareness-of-gdpr-is-low-amongst-
consumers/.
\81\ ``Europe's Pressure Points,'' AEI, January 17, 2017, http://
www.aei.org/feature/europes-pressure-points/.
\82\ ``Turnout 2014--European Parliament,'' European Parliament,
accessed July 27, 2018, http://www.europarl.europa.eu/elections2014-
results/en/turnout.html.
\83\ Mancur Olson, The Logic of Collective Action. Harvard
University Press, January 1971, http://www.hup.harvard.edu/
catalog.php?isbn=9780674537514.
\84\ Roslyn Layton, ``How the GDPR Compares to Best Practices for
Privacy, Accountability and Trust,'' SSRN Scholarly Paper March 31,
2017, https://papers.ssrn.com/abstract=2944358.
---------------------------------------------------------------------------
Conflicting visions of rights and freedoms
Aside from these legal quagmires, the U.S. should not adopt the
EU's approach because our notions of privacy come from fundamentally
different perspectives. America was founded on the idea that human
beings are born with natural rights, such as the rights to life and
liberty. These rights are inviolable, God-given, and independent on the
laws and customs of the country and, thus, cannot be repealed or
restrained by human laws. Natural rights make no demands on others
except that they respect those rights. This has been codified in our
Constitution and confirmed with over two centuries of case law. Natural
rights should be distinguished from human rights, which are moral
principles or norms to describe standards of human behavior.
The EU approach, which only came into being in this century, is
rather a Johnny-come-lately with the concept of privacy rights bestowed
by government and a legal system, and thus can be modified, repealed,
and restrained by government. The GDPR, a legal or government-granted
right, makes specific demands of others (e.g., demanding how data
processors must govern data).
The main authority for privacy enforcement in the U.S. is 15 USC
Sec. 45, which charges the Federal Trade Commission (FTC) with
preventing ``unfair methods of competition in or affecting commerce and
unfair or deceptive acts or practices in or affecting commerce.'' \85\
The FTC took up some 200 cases in 2017 alone.\86\ In matters of
privacy, the FTC's role is to enforce privacy promises made in the
marketplace. Whereas the GDPR assumes that any data collection is
suspect, the FTC focuses its enforcement efforts on sensitive
information that should be protected against unwarranted disclosure.
This helps avoid imposing costly and draconian compliance mandates on
entities that are not a priori threats to personal privacy, such as
personal blogs, nonprofit organizations, or informational websites. The
FTC's approach seeks to allocate scarce regulatory resources to prevent
the greatest threats to online privacy. To be sure, if a small entity
behaves in an unfair or deceptive way, it can be prosecuted, but the
FTC does not assume that every entity wants to harm online users.
Additional laws form the foundation on which the FTC carries out this
charge including the Privacy Act of 1974,\87\ the Gramm-Leach-Bliley
Act,\88\ the Fair Credit Reporting Act,\89\ and the Children's Online
Privacy Protection Act.\90\
---------------------------------------------------------------------------
\85\ 15 USC Sec. 45 (2012).
\86\ Federal Trade Commission, ``Privacy & Data Security Update:
2017,'' January 2017-December 2017, https://www.ftc.gov/system/files/
documents/reports/privacy-data-security-update-
2017-overview-commissions-enforcement-policy-initiatives-consumer/
privacy_and_data_security
_update_2017.pdf.
\87\ 5 USC Sec. 552a.
\88\ 15 USC Sec. Sec. 6801-6809.
\89\ 15 USC Sec. 1681 et seq.
\90\ 15 USC Sec. Sec. 6501-6506.
---------------------------------------------------------------------------
The current vogue of normative models for data protection such as
the GDPR demonstrate the danger of ``privacy overreach,'' in which the
drive to protect privacy becomes absolute, lacks balance with other
rights, and unwittingly brings worse outcomes for privacy and data
protection.\91\ The pace of privacy and data protection law is
significantly faster than other laws, leading one scholar to suggest
that it threatens to upend the balance with other fundamental
rights.\92\
---------------------------------------------------------------------------
\91\ Supra Hurwitz
\92\ See Maja Brkan, The Unstoppable Expansion of the EU
Fundamental Right to Data Protection, Maastricht Journal of European
and Comparative Law 23, no. 5 (2016): 23, http://journals.sagepub.com/
doi/abs/10.1177/1023263X1602300505?journalCode=maaa.
---------------------------------------------------------------------------
The principle of rational, limited government protects us against
the Kafkaesque bureaucratization of regulation in which government
agencies enshrine themselves in power in the name of protecting
citizens. Totalitarian regimes are built on the premise that power must
be increasingly centralized to ensure individual freedom. Every senator
on the dais knows what it means to be responsible to the people. Both
sides of the aisle and both houses of this Congress care deeply about
the issues of privacy and data protection and have attempted to address
them in a thoughtful way, respecting the rule of law and individual
freedoms, notably Sen. Klobuchar (D-MN) with her bill.\93\
---------------------------------------------------------------------------
\93\ Social Media Privacy Protection and Consumer Rights Act of
2018, https://www.congress
.gov/bill/115th-congress/senate-bill/2728/text.
---------------------------------------------------------------------------
Indeed, there are conflicting visions within the EU itself about
which elements of data protection are valuable. A study of Polish
university students' monetary valuation of specific GDPR provisions
using stated preference discrete choice experiments highlights the
enormous gap between research and policy.\94\ Researchers estimate that
users are willing to pay =6.5/month for a subset of GDPR provisions,
notably =1.4/month for erasure and =0.80/month not to be profiled.
Interestingly while data portability is valued by policymakers, it was
not valued by students. The study also suggests that users could value
data protection differently at different points in time and depending
on the application used.
---------------------------------------------------------------------------
\94\ Sabolewski, Maciej and Palinski Michal. How much consumers
value on-line privacy? Welfare assessment of new data protection
regulation (GDPR). International Telecommunications Society Conference,
Passau. July 31, 2017
---------------------------------------------------------------------------
If users are willing to pay for specific data protection services,
why not allow companies to charge for such services or align their
business models based upon their specific consumer preferences? Instead
the GPDR increases the cost across the board without meaningfully
addressing individual preferences. By requiring all companies to
implement such rules, the EU reduces competitive parameters by forcing
companies to evolve when the market would otherwise make them obsolete.
Informed policy would use randomized controlled trials to find which
set of preferences is most valued and efficient. Simply put, the 17
enumerated ``rights'' represents the wish list of activists, not the
evidenced-based request of citizens.
Challenging the GDPR as an Illegal Trade Barrier
We should recognize the GDPR for what it is--a standards war--and
make the appropriate response. For years Europe has fallen behind in
the digital economy. It continues to watch the US, and increasingly
China, capture the world market for Internet innovation and revenue. So
rather than compete on making better Internet products and services,
the EU competes on regulatory standards. While the EU claims that the
GDPR regulates data processing for ``mankind,'' its motives are
geopolitical, not humanitarian.\95\ While the GDPR's supporters claim
its benefit for ``everyone'', only a select few were involved in its
development. Non-Europeans were never consulted on this legislation,
nor were they able to vote on its passage. Moreover, the European
Parliament didn't consult with global institutions or multistakeholder
group before making the GDPR.
---------------------------------------------------------------------------
\95\ GDPR Paragraph 4
---------------------------------------------------------------------------
The EU made a similar gambit for world dominance in mobile
standards by forcing the adoption of 3G/GSM, hoping to trounce the
code-division multiple access (CDMA) platform that American operators
had invested in. For a time, the strategy gave the European mobile
industry (including its six phone manufacturers) a leg up, but the U.S.
jumped ahead to 4G and became the world leader in mobile. We should not
copy the GDPR but rather leapfrog it with a better approach to data
protection.\96\
---------------------------------------------------------------------------
\96\ Roslyn Layton, ``Four Ways the U.S. Can Leapfrog the EU on
Online Privacy,'' AEIdeas, May 22, 2018, http://www.aei.org/
publication/four-ways-the-us-can-leapfrog-the-eu-on-online-privacy/.
---------------------------------------------------------------------------
The EU's GDPR is a form of mercantilism, an economic policy
promoting government regulation of the economy to augment state power
at the expense of rival nations. It was widely practiced in Europe from
the 16-18th century and led to colonial expansion as well as war.
Mercantilism is the opposite of the American system, the classic
political economy.\97\ The GDPR likely violates the World Trade
Organization and the Information Technology Agreement and should be
challenged as such.\98\
---------------------------------------------------------------------------
\97\ Lars Magnusson, Mercantilism: The Shaping of an Economic
Language. Routledge, 2015.
\98\ Julie A. Hedlund and Robert D. Atkinson. ``The Rise of the New
Mercantilists: Unfair Trade Practices in the Innovation Economy.''
ITIF, June 2007. http://www.itif.org/files/ITMer
cantilism.pdf
---------------------------------------------------------------------------
Based on the scientific evidence, the keys to improving trust
online are consumer education and incentives for innovation in privacy
enhancing technologies. These topics have little to no mention in the
GDPR and represent the path for the U.S. to develop a superior
approach.
Leapfrogging the GDPR
Consumer Education
While the GDPR claims to empower people, it offers nothing in the
way to empower people to educate themselves about how to engage online
responsibly. This is likely on purpose because regulatory advocates
realize that if people were educated and empowered, they could make
their own decisions about how to engage with platforms and would not
require government supervision on their online activities.
The GDPR perpetuates a fallacy that making consent more explicit
makes consumers more informed. It is like speaking more loudly to a
person who speaks another language in the hope that she will better
understand. The GDPR requires enterprises to make consent ever more
detailed, burdensome and granular without increasing the user's
knowledge of the transaction. This creates an increasing chasm between
consumer empowerment and bureaucratic control.
Public choice theory also suggests that the EU data supervisors'
preferences are not necessarily aligned with the ``public interest,''
what is best for European welfare in the long run. Increasing user
knowledge and the quality of data protection technology could
legitimately make people better off, but it could also render
regulators less important. While data supervisors will not necessarily
reject policies that improve user knowledge and technology design, it
is in their interest to promote inputs that increase their own
resources and legitimacy in conducting compliance and adjudication.
As my research details, the EU's official statistics, the
Eurobarometer, notes that more than half of all Europeans fail to
practice basic privacy-enhancing behaviors.\99\ This situation is ripe
for improvement and represents a classic example of how consumer
education can improve outcomes better, more quickly, and at a lower
cost than regulation. Indeed, the first principle of consumer education
in data protection, buyer beware, is the first principle for how
citizens should protect themselves in cyberthreats in Michael
Chertoff's new book on cybersecurity: ``Be mindful of what data you
transmit and what you connect to your own network.'' \100\ He also
recommends practicing cyber hygiene, taking advantage of layered
cybersecurity technology, and to outsmart scams with a phone call.
Consumers need to practice the same kind of vigilance and personal
responsibility in cybersecurity as they do in the data protection
domain. Outsourcing the job to bureaucrats will not cut it.
---------------------------------------------------------------------------
\99\ See Roslyn Layton, How the GDPR Compares to Best Practices for
Privacy, Accountability, and Trust, at 14 (Mar. 31, 2018), https://
papers.ssrn.com/sol3/papers.cfm?abstract_id=2944358.
\100\ Michael Chertoff. Exploding Data: Reclaiming Our Cyber
Security in the Digital Age. Atlantic Monthly Press, 2018.
---------------------------------------------------------------------------
Several private and public organizations have outlined the role of
consumer education in online privacy more than a decade ago, but these
assets were purposely ignored by the European Parliament in crafting
the legislation. Notably, the Organisation for Economic Co-operation
and Development (OECD) published a study on Consumer Education for
Digital Competence.\101\ Key learning points include:
---------------------------------------------------------------------------
\101\ Organisation for Economic Co-operation and Development,
``Consumer Education Policy Recommendations of the OECD'S Committee on
Consumer Policy,'' 2009, http://www.oecd.org/sti/consumer/44110333.pdf.
Linking the concept of digital competence with critical
---------------------------------------------------------------------------
thinking on technology and the media;
Educating to provide a basis for developing an understanding
of the structures and conceptual relationships understanding
digital media (e.g., functioning of online market, e-commerce
marketing techniques, and user tools);
Learning the how and why of protecting personal information
when using digital media;
Using media to promote the education of digital competence
in compelling ways (e.g., games, videos, blogs, and virtual
worlds);
Age-appropriate education;
Implementing teacher training; and
Strengthening multi-stakeholder cooperation to create
educational partnerships.
The OECD also published a book to describe prevailing consumer
education practices across the member nations, including the
institutional frameworks and policy evaluation tools.\102\ For example,
in the U.S.., the ``Teaching Privacy Curriculum'' by Serge Egelman et
al., offers interactive instruction on 10 principles of online privacy
over three weeks in a university setting, a method which has also
proved effective to educate and empower users to manage their
privacy.\103\
---------------------------------------------------------------------------
\102\ Organisation for Economic Co-operation and Development,
``Promoting Consumer Education: Trends, Policies and Good Practices--
OECD,'' March 2009, http://www.oecd.org/sti/consumer/
promotingconsumereducationtrendspoliciesandgoodpractices.htm#howto.
\103\ Serge Egelman et al., ``The Teaching Privacy Curriculum,''
2016, 591-96.
---------------------------------------------------------------------------
Innovation in Privacy-Enhancing Technology
The second area with only limited discussion in the GDPR is the
role of privacy-enhancing technology. In its report ``Privacy Enhancing
Technologies: Evolution and State of the Art,'' the European Union
Agency for Network Information and Security (ENISA, now called the
Cybersecurity Agency) describes privacy-enhancing technologies (PETs)
as ``a system of ICT measures protecting informational privacy by
eliminating or minimizing personal data thereby preventing unnecessary
or unwanted processing of personal data, without the loss of the
functionality of the information system.'' \104\ The ENISA report
describes a wealth of technologies, but the GDPR only mentions two:
encryption/pseudonymisation and data minimization.
---------------------------------------------------------------------------
\104\ European Union Agency for Network and Information Security,
``Privacy Enhancing Technologies: Evolution and State of the Art--
ENISA,'' March 9, 2017, https://www.enisa.europa.eu/publications/pets-
evolution-and-state-of-the-art.
---------------------------------------------------------------------------
ENISA's related report ``Privacy and Data Protection by Design''
explains privacy enhancing technologies including not only encryption
but also protocols for anonymous communications, attribute-based
credentials, and private search of databases in addition to a range of
strategies of multiple practices that firms can employ.\105\ It
describes a large body of literature on privacy by design but that its
implementation is weak and scattered. Indeed, privacy and data
protection features are relatively new issues for engineers, designers,
and product developers when implementing the desired functionality. To
address this, ENISA has stewarded the discussion on how to develop a
repository of such technologies.
---------------------------------------------------------------------------
\105\ European Union Agency for Network and Information Security,
``Privacy and Data Protection by Design--ENISA,'' January 12, 2015,
https://www.enisa.europa.eu/publications/privacy-and-data-protection-
by-design.
---------------------------------------------------------------------------
Consider how technology and innovation could create better outcomes
that prescriptive regulation. The GDPR has extensive reporting,
auditing, and compliance requirements, necessitating that enterprises
hire data protection officers and that data protection authorities hire
workers. These requirements will vastly increase the paperwork created
and stored in databases, itself a cybersecurity risk. If the goal is to
ensure that entities are practicing data protection, a better system
could the audit on demand, or even auditable systems, software which
exposes the relevant information to those users who are interested,
like ratings used on peer to peer platforms.
It could be that because privacy by design technologies are
nascent, policymakers are reluctant to describe them in further detail,
though this also contradicts the implicit assumption of the GDPR that
data supervisors know best. However, the GDPR-chosen approach of
regulation creates path dependency and inevitable outcomes. It clearly
puts the thumb on the scale in favor of regulation over innovation.
Such frameworks can have indirect effects in that firms, concerned
about inadvertently violating many of the tenets of the regulation and
facing steep fines, will choose not to innovate. The GDPR's Article 25
on privacy by design and by default offers little in the way of
incentives. There is no safe harbor for data processors to experiment
or to implement new privacy by design technologies, so firms risk
significant fines if their technologies fail, even if they have an
entrepreneurial willingness to employ improved technologies.
A review of the literature on the impacts of economic regulation in
the information communications technology sector shows a detrimental
impact of regulation on innovation.\106\ Regulation can create a
deadweight loss in the economy as resources are diverted to regulatory
compliance and away from welfare-enhancing innovation. A study across
all major industries from 1997 to 2010 found that less-regulated
industries outperformed overregulated ones in output and productivity
and grew 63 percent more. Overregulation increases barriers to entry
for entrepreneurs, which slows economic growth.\107\ Moreover,
regulation can crowd out efforts to create new and better systems.\108\
---------------------------------------------------------------------------
\106\ Luke Stewart, ``The Impact of Regulation on Innovation in the
United States: A Cross,'' Information Technology and Innovation
Foundation, June 2010, 18, http://www.itif.org/files/2011-impact-
regulation-innovation.pdf.
\107\ Antony Davies, ``Regulation and Productivity,'' Mercatus
Center, May 7, 2014, https://www.mercatus.org/publication/regulation-
and-productivity.
\108\ Patrick McLaughlin and Richard Williams, ``The Consequences
of Regulatory Accumulation and a Proposed Solution / Mercatus,''
Mercatus Center, February 11, 2014, http://mercatus.org/publication/
consequences-regulatory-accumulation-and-proposed-solution.
---------------------------------------------------------------------------
As early as 2010, the International Conference of Data Protection
and Privacy Commissioners resolved that efforts to promote privacy by
design needed to be more deeply embedded in policy.\109\ The EU could
offer grants or rewards for designing better technologies, but those
approaches were declined in the regulation. Instead the EU freezes in
time one view of data governance to which all controllers must adhere,
creating a monolithic attack surface. A better approach is to adopt a
policy declaring the importance of data protection and allow entities
to evolve the most salient approaches.
---------------------------------------------------------------------------
\109\ European Data Protection Supervisor, ``International
Conference of Data Protection and Privacy Commissioners,'' October 27,
2010, https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/
Documents/Cooperation/Conference_int/10-10-27_Jerusalem_Resolutionon
_PrivacybyDesign_EN.pdf.
---------------------------------------------------------------------------
The National Institute of Standards and Technology framework offers
the most salient way forward to design a 21st-century paradigm of data
protection. The focus on the scientific approach ensures the
engineering trustworthiness of technology and its incorporation into
society. Measurement science and system engineering principles can
support the creation of frameworks, risk models, tools, and standards
that protect privacy and civil liberties.\110\ As such, Americans can
develop a better regime through science, technology, and innovation.
Policymakers can incentivize this with partnerships for grants, prizes,
award, competitions, and safe harbors for innovation to ensure that
innovators can innovate without punishment.
---------------------------------------------------------------------------
\110\ Paul Hernandez, ``Cybersecurity and Privacy Applications,''
National Institute of Standards and Technology, August 23, 2016,
https://www.nist.gov/itl/applied-cybersecurity/cybersecurity-and-
privacy-applications.
---------------------------------------------------------------------------
Data Localization
Related to the protectionist GDPR is data localization.
Increasingly, countries are forcing firms to store data locally,
inhibiting the free flow of information and creating a Balkanized
internet. Some 34 countries have enacted barriers \111\ to restrict
data--whether financial, personal, government, telecommunications, or
others against digital services. The United States International Trade
Commission describes the importance of global digital trade and the
many barriers.\112\
---------------------------------------------------------------------------
\111\ Nigel Cory, ``Cross-Border Data Flows: Where Are the
Barriers, and What Do They Cost?,'' Information Technology and
Innovation Foundation, May 1, 2017, https://itif.org/publications/2017/
05/01/cross-border-data-flows-where-are-barriers-and-what-do-they-cost.
\112\ United States International Trade Commission, ``Despite Huge
Growth in Global Digital Trade in Recent Years, Some Countries Seek to
Slow Adoption, Reports USITC,'' press release, September 28, 2017,
https://www.usitc.gov/press_room/news_release/2017/er0928ll836.htm.
---------------------------------------------------------------------------
Countries claim that they need data localization to ensure data
privacy and cybersecurity, help the local digital economy, and ensure
government access to data, but these reasons are unfounded. Cyber
threats transcend borders, and the data's location is not a deterrent
to criminals. While firms take advantage of multiple locations for data
centers, these centers offer limited support to economic growth. The
proper strategy to support the local digital economy is to focus human
capital to create digital goods and services in the country itself.
Governments can get access to data when they need to with the
appropriate court orders; the length of time of delivery is a matter of
seconds.
Data localism should be addressed appropriately by the rule of law,
at the World Trade Organization, and with other appropriate
institutions.
Intellectual Property
Just as we can describe Title II Internet regulations as government
taking the physical property of networks, the GDPR is government taking
the intellectual property of algorithms. Both regulations deny their
owners their rights of ownership and innovation.\113\
---------------------------------------------------------------------------
\113\ Roslyn Layton and Bronwyn Howell, ``How Title II Harms
Consumers and Innovators,'' American Enterprise Institute, July 14,
2017, http://www.aei.org/publication/how-title-ii-harms-consumers-and-
innovators/.
---------------------------------------------------------------------------
Protection of intellectual property is enshrined in our
Constitution.\114\ James Madison reiterated the Copyright Clause in
Federalist Paper No. 43 noting, ''The utility of this power will
scarcely be questioned. The copyright of authors has been solemnly
adjudged, in Great Britain, to be a right of common law. The right to
useful inventions seems with equal reason to belong to the inventors.''
\115\ The product that a person creates with his hands is no different
than what he creates with his voice or brain. The creator has the right
to decide how to monetize his creations.
---------------------------------------------------------------------------
\114\ The Constitution of the United States (Article I, Section 8,
Clause 8) grants to Congress the powers to promote ``the progress of
science and useful arts'' by providing inventors the limited but
exclusive right to their discoveries. This applies to copyrights and
patents, with trademarks similarly protected by Congress under the
Commerce Clause (Article I, Section 8, Clause 3). Together, they are
all protected under the umbrella of intellectual property.
\115\ James Madison. Federalist No. 43. January 23, 1788
---------------------------------------------------------------------------
As of December 2016, copyrighted works contributed an estimated
$1.2 trillion to the U.S. GDP,\116\ accounting for 6.88 percent of the
U.S. economy, almost as large as the $1.6 trillion Internet economy
itself.\117\ The Internet intermediaries enjoy intellectual property
(IP) protection for their software and algorithms. It is illogical that
the software property protections are honored internationally but not
the content they deliver. The U.S. loses about $300 billion annually
from the theft of copyrighted materials.\118\
---------------------------------------------------------------------------
\116\ Stephen E. Siwek, ``Copyright Industries in the U.S.
Economy,'' International Intellectual Property Alliance, 2016, https://
iipa.org/files/uploads/2018/01/2016CpyrtRptFull-1.pdf.
\117\ Comp TIA, ``Cyberstates,'' https://www.cyberstates.org/. 2018
\118\ Supra Siwek.
---------------------------------------------------------------------------
Fortunately, advances such as machine learning and cloud computing
enable online intermediaries to accurately and efficiently identify
known-infringing content, particularly content that rightsholders have
shown belongs to them. Technologies and business models continue to
improve making detection of pirated, unlicensed content more efficient,
meaning that we can have a strong copyright standard without
overburdening intermediaries. For example, ad networks can restrict the
use of advertising on sites with known infringing content, which helps
restrict revenue to those criminal enterprises designed to illegally
exploit copyright-protected content. Such tools combat not only pirated
content but also harmful and pirated goods such as counterfeit
medicines.\119\
---------------------------------------------------------------------------
\119\ Daniel Castro, ``PIPA/SOPA: Responding to Critics and Finding
a Path Forward,'' Information Technology and Innovation Foundation,
December 5, 2011, https://itif.org/publications/2011/12/05/pipasopa-
responding-critics-and-finding-path-forward.
---------------------------------------------------------------------------
Like the network regulation debate, the copyright-free movement is
a coalition of some large tech companies aligned with anti-IP groups
that want to restrict if not abolish copyright protections.\120\ Some
copyright ``minimalists'' argue that since they would not have paid for
the products, stealing improves consumer welfare. Others see piracy as
merely a form of societal redistribution from rights owners to
consumers. They leverage databases of millions of users to overwhelm
political process and create the appearance of grassroots support, for
example one million signatures on a Change.org petition. This is not an
authentic reflection of the people but rather the amplified support of
the digital elite.\121\ Some countries recognize that they do not
produce a significant amount of exportable digital content, so they see
no strong incentive to have strong digital copyright enforcement.
Instead, they see opportunities to create digital platforms that
leverage the content produced by others, particularly U.S. creators.
---------------------------------------------------------------------------
\120\ Richard Bennett, ``Europe's Piracy Dilemma, High Tech Forum,
July 5, 2018, http://hightechforum.org/europes-piracy-dilemma/.
\121\ Roslyn Layton, ``Net Neutrality: A Numbers Game,'' AEIdeas,
July 25, 2016, http://www.aei.org/publication/net-neutrality-numbers-
game/; Change.org, ``Stop the Censorship-Machinery! Save the
Internet!,'' https://www.change.org/p/european-parliament-stop-the-
censorship-machinery-save-the-internet; and Roslyn Layton, ``Dominated
by the Digital Elite,'' US News & World Report, August 8, 2017, https:/
/www.usnews.com/opinion/economic-intelligence/articles/2017-08-08/the-
digital-elite-dominates-debates-over-net-neutrality-and-title-ii-rules.
---------------------------------------------------------------------------
Another hypocrisy has emerged in that many advocates of the
copyright-free moment want regulation to ensure their unfettered access
to content regardless of the copyright concerns but see no problem when
the onerous GDPR requirements force content owners to stop serving the
EU. Similarly, they celebrate the liability protections of the
Communications Decency Act \122\ and the Online Copyright Infringement
Liability Limitation Act \123\ afforded to highly regulated common
carriers in telecommunications, but don't see that the same common
carriage should apply to their preferred Internet platforms which are
also granted immunity under the Acts. Such legal policy inconsistencies
should be investigated and resolved.
---------------------------------------------------------------------------
\122\ 47 USC 230
\123\ 17 USC 512
---------------------------------------------------------------------------
Ideally, by creating transparency to the competing interests, the
debate can move forward on the merits of the arguments. In any case,
without copyright, the individual creator has no protection for his
work, so supporting this position is vital to ensure individual rights.
Some reasons for the decline in U.S. Internet leadership
The U.S. had a leadership role in Internet governance, but lost it.
When the U.S. fails to uphold the rule of law in its own country, it
gives license to other nations to do the same. Moreover, the U.S.
failed to challenge those countries that violate digital trade
agreements. During this period in which the U.S. has slackened in it
own practice of the rule of law, there has been a shift of the
international view of America over the past 20 years from one of
respect and reverence to one of resentment. The Pew Research Center's
Global Attitudes and Trends reports that other nations' opinions of the
U.S. have diminished from preeminence to a tie with China for the
world's most popular nation.\124\
---------------------------------------------------------------------------
\124\ Global Indicators Database, ``Do You Have a Favorable or
Unfavorable View of the U.S.?,'' Pew Research Center, http://
www.pewglobal.org/database/indicator/1/.
---------------------------------------------------------------------------
To a number of foreign nations, the explosion of free speech
restrictions on American college campuses legitimize the efforts to
clamp down on journalists, dissidents, and other critics of government.
In the Internet space, a recent and egregious example was in 2014-15.
The Federal Communications Commission pronounced that one of its
greatest inventions--the internet--is a mere extension of the telephone
network and thus a utility to be regulated by the government. It was a
slap in the face to engineers and inventors whose life's work was
creating an alternative to the telephone. It disrespected their
inventions and the technologies of freedom. In addition, it trampled
the rule of law, in which the people certified through Congress that
the Internet is to be free and unfettered from state and Federal
regulation. The move to declare the Internet a utility was welcomed by
many unsavory nations as perfect justification to apply their favorite
form of government control on the internet. It is no surprise that
dozens of nations have engaged in harmful regulation toward the US, a
country they once respected. Moreover, Internet freedom has been
declining for the past seven years despite increasing regulation around
the world purported to protect consumers and ``openness.'' \125\
---------------------------------------------------------------------------
\125\ Roslyn Layton, ``The Link Between Net Neutrality and
Declining Internet Freedom,'' AEIdeas, December 15, 2015, http://
www.aei.org/publication/link-net-neutrality-declining-internet-
freedom/. For an updated report, see Freedom House, ``Manipulating
Social Media to Undermine Democracy,'' https://freedomhouse.org/report/
freedom-net/freedom-net-2017.
---------------------------------------------------------------------------
This abuse is not limited to government. Leading Silicon Valley
firms have waged a campaign to impose Internet regulation on the
telecom industry to avoid interconnection fees and preclude the
development of competitive business models for content and
advertising.\126\ While it may be a rational strategy for Silicon
Valley, it is wrong and unfair to employ political means to secure
price controls that undermine the efficient functioning of Internet
markets. As I have demonstrated with more than 5 years of doctoral and
post-doctoral research, these regulatory policies have been harmful in
the U.S. and abroad, concentrating Internet traffic to fewer players
and enshrining a monoculture of platform paradigms and business
models.\127\
---------------------------------------------------------------------------
\126\ Internet Association, ``Net Neutrality,'' accessed July 19,
2018, https://internet
association.org/positions/net-neutrality/.
\127\ Roslyn Layton. Which Open Internet Framework is Best for
Mobile App innovation? An empirical inquiry of net neutrality rules
around the world. Aalborg University, 2017. http://vbn.aau.dk/en/
publications/which-open-internet-framework-is-best-for-mobile-app-
innovation(b1f05c8d-b31e-47cd-b19d-bcf6893e7e5b).html
---------------------------------------------------------------------------
The imposition of price controls denies infrastructure providers
revenue to build networks (and tax revenue for governments), undermines
the emergence of business models that could support local content
development for socially beneficial goods (particularly in developing
countries), and unduly burden consumers with the full cost of networks,
a cost that falls disproportionately on the poor. Moreover, the
politicized regulatory exercise distracts scarce policymaking resources
away from real problems, which are empirically demonstrated to be the
malign acts of governments to censor people, services, and data.\128\
Indeed, many internet-related firms and industries have taken advantage
of the regulatory process to win favorable treatment for themselves at
the expense of their competitors and consumers. Foreign counterparts
have learned from the rent-seeking behavior of Americans firms, and it
has boomeranged. Now foreign governments find ways to regulate American
firms to reward their domestic players.\129\
---------------------------------------------------------------------------
\128\ Freedom House, ``Freedom on the Net 2017,'' https://
freedomhouse.org/report/freedom-net/freedom-net-2017.
\129\ Roslyn Layton, ``Net Neutrality Will Be Reincarnated as
Platform Regulation,'' AEIdeas, December 20, 2017, http://www.aei.org/
publication/net-neutrality-will-be-reincarnated-as-platform-
regulation/.
---------------------------------------------------------------------------
Moreover the U.S. has distracted itself with phantom fears and
instead of focusing on real threats. The U.S. may have been the leader
in 4G, but leadership is not assured in future generations. The Chinese
government wants its country's device, app, and service developers to
win the race for the 5G ecosystem. China has already replaced the U.S.
as the world's largest mobile app market,\130\ unseating the U.S. in
downloads and revenue in 2016. The U.S., caught up in crony squabbles
and rent-seeking regulation over the past decade, took its eye off the
ball. The real threat to Silicon Valley is not the Nation's 4,551
Internet service providers, but rather Chinese Internet giants,
including Baidu, Alibaba, and Tencent, which make the U.S. players look
tame by comparison.\131\
---------------------------------------------------------------------------
\130\ App Annie Content, ``App Annie Mobile App Forecast: China to
Surpass the U.S. in 2016,'' accessed July 19, 2018, https://
www.appannie.com/en/insights/market-data/mobile-app-forecast-china-to-
surpass-us-in-2016/.
\131\ CTIA, ``How America's 4G Leadership Propelled the U.S.
Economy''; Raymond Zhong, ``Worried About Big Tech? Chinese Giants Make
America's Look Tame,'' New York Times, May 31, 2018, https://
www.nytimes.com/2018/05/31/technology/china-tencent-alibaba.html.
---------------------------------------------------------------------------
Unless it wants to capitulate for China, American industry needs to
set aside its crony games and start to play for Team USA. Telecom,
content, software, and hardware companies should all play for the same
team. They should partner to complement each other's strengths,
leveraging the appropriate actors for the conversation. Moreover, Team
USA should grow the bench and bring new valuable actors into the fold.
The more robust our market and diversified our business models, the
less likely China will be able disrupt it.\132\
---------------------------------------------------------------------------
\132\ Sara Fischer, ``U.S. Big Tech Is Still Beating out China,''
Axios, July 24, 2018, https://www.axios.com/us-big-tech-china-silicon-
valley-fe76b105-d9d0-4b34-8632-7e91b8f6d9a2.html.
---------------------------------------------------------------------------
Earning the leadership role again
The U.S. needs to model the behavior it wants to see in the world
by upholding the rule of law and respect for individual rights. When
American enterprises operate abroad--whether they are for-profit
corporations or nonprofit entities--they want a rational, predictable,
and consistent framework across the board. Such a framework allows the
enterprise to minimize costs, maximize revenue, ensure efficiency, and
allow improvement and innovation. To ensure the ideal framework abroad,
enterprises should advocate for the ideal framework at home. Therefore,
the policy should be a consistent set of rules for all players,
grounded in modern, evidenced-based standards of antitrust and
delivered by the FTC.\133\ This also requires removing the asymmetric
regulation and regulatory prejudice that have stymied innovation in
business models and platforms.
---------------------------------------------------------------------------
\133\ Richard Bennett et al., Comments on Communications Act
Modernization, January 31, 2014, https://ssrn.com/abstract=2388723.
---------------------------------------------------------------------------
We must also let go of antique notions of Internet architecture and
outdated regulations that prohibit innovation e.g., this wooden notion
of network core and edge. It is precisely these regulatory prejudices
that have precluded the network design advancements that can improve
security.\134\ It was a reasonable to trust the digital community in
the days of the ARPANET when the users were a handful of scientists and
engineers. With billions of Internet users today, assumed trust is not
an option. Cyberattacks and threats are commonplace and demand to be
addressed within the framework of defense. Perpetrators of
cyberattacks, notably rogue states, should be punished by ending visas,
freezing assets, and other punitive tools of international law. Modern
cybersecurity requires advanced information-sharing among global
partners, a market for cyber insurance, freedom of parties to exercise
self-defense, and the augmentation government's coordination with
military, business, and hacker communities.\135\ Some suggest that the
cybersecurity crisis is the outcome of obsolete networked computer
architecture and demands a new paradigm of cryptography, the
architecture of blockchain, and its derivatives. It is suggested that
this emergent architecture will enable a new form of payments on the
Internet and topple reigning monopolies.\136\
---------------------------------------------------------------------------
\134\ Jaikumar Vijayan, ``Net Neutrality Could Hinder Efforts to
Safeguard Web, Worry Security Experts,'' Christian Science Monitor,
February 27, 2015, https://www.csmonitor.com/World/Passcode/2015/0227/
Net-neutrality-could-hinder-efforts-to-safeguard-Web-worry-security-
experts.
\135\ Jeffrey A. Eisenach et al., ``An American Strategy for
Cyberspace: Advancing Freedom, Security, and Prosperity,'' American
Enterprise Institute, June 3, 2016, http://www.aei.org/spotlight/
american-strategy-for-cyberspace/.
\136\ George Gilder, Life After Google: The Fall of Big Data and
the Rise of the Blockchain Economy (Gateway Publishers, 2018).
---------------------------------------------------------------------------
Let me close with a story that demonstrates how the U.S. pursuing
its national interest has been a force for good.\137\ Upon coming into
office, Thomas Jefferson was confronted of the problem of American
merchant ships being seized by the Barbary States of Northern Africa;
the goods were confiscated and the crews enslaved. Most countries paid
ransom so that they could traverse the Mediterranean. American
representatives had tried negotiation for some 20 years, but the
situation grew worse. Over 1 million Europeans and Americans had been
captured by the Barbary pirates over the period.
---------------------------------------------------------------------------
\137\ Gordon Wood. Revolutionary Characters: What Made the Founders
Different. Penguin Press, 2006.
---------------------------------------------------------------------------
On the eve of his inauguration, Jefferson's request to Congress was
authorized, dispatching naval ships to the region to recover the
hostages and destroy the pirate fleets. Sweden and Sicily joined the
effort because they too had suffered the Barbary scourge. After a
series of battles, the U.S. emerged victorious, returned the stolen
goods to the various European nations, and returned to the U.S. with
the American hostages. The Barbary Wars became a vindication for
Jefferson whose critics wanted him to focus inward on the Louisiana
purchase. Winning the Barbary Wars solidified free trade in the
Mediterranean.
Just as Jefferson had to secure the sea lanes for trade in the 19th
century, we must secure the information lanes for the free flow of data
in the 21st. Otherwise we appease mercantilist nations by letting them
violate international law, and the situation grows worse. Ideally the
issues can be resolved in the context of trade negotiation.
Alternatively, we can create a better regime which becomes so popular
that the rest of the world joins it, isolating the mercantilists. Or we
can fight. This is not to suggest a military war, but a war in the
court.
Senator Wicker. Thank you very much, Dr. Layton.
Ms. Zheng.
STATEMENT OF DENISE E. ZHENG, VICE PRESIDENT, POLICY, BUSINESS
ROUNDTABLE
Ms. Zheng. Chairman Wicker, Ranking Member Schatz, members
of the Subcommittee, thank you for the opportunity to testify
on behalf of the Business Roundtable.
Today, few companies can compete and succeed without making
extensive use of data and digital systems, but recently there
has been a rapid increase in the number of policies around the
world that undermines digital innovation, trade, by creating
fragmentation, uncertainty, significant compliance costs, and
other unintended consequences.
The compliance environment is increasingly cumbersome for
large companies and simply impossible for small companies and
startups to comply. The EU and China are the most active
players in rolling out digital regulations, but India, Russia,
South Korea, and other Asian and Latin American countries are
ramping up efforts to develop and enforce a wide range of
cybersecurity, privacy, and data localization policies.
China has the most aggressive regime in place, mandating
all important information and personal information be stored
locally in China. As currently defined, the law would require
any entity that owns or operates a computer network and applies
to a vast assortment of different types of data.
India, Russia, Nigeria, South Korea all have enacted laws
that prohibit transferring various types of business and
consumer data. In fact, at least 34 different countries have
data localization requirements that can raise the cost of
posting data by an estimated 30 to 60 percent for covered
companies.
Approximately 120 countries currently have data privacy
laws and many more countries are considering legislation in
this area. Some companies have decided to discontinue offering
products and services in the EU because of GDPR compliance
costs which are so high that they can no longer justify being
in the market.
For example, some firms are blocking EU-based users from
their products and services, including from visiting their
websites, to avoid facing steep fines of 20 million Euros or 4
percent of annual revenue, whichever is higher. The GDPR alone
is costing Global Fortune 500 companies a combined total of
$7.8 billion this year to comply.
Fragmentation of domestic policy regulations in the United
States is also on the rise. In addition to several existing
sector-specific Federal and state privacy regulations,
California recently passed a privacy bill that applies broadly
across many sectors. Numerous other privacy proposals are
pending in state legislatures that, if passed, would further
increase the complexity of privacy regulations across the U.S.
Cybersecurity regulations are also expanding globally. The
financial services industry is an example of a sector that
faces an expanding number of international cybersecurity
requirements with more than 40 different policies, including
overlapping mandatory risk assessments, penetration testing,
and incident reporting to multiple authorities in each country.
Now don't get me wrong. Cybersecurity is a serious matter.
We should have mechanisms in place to ensure adequate
protection, but uncoordinated policies across countries means
that companies must reconcile competing regulations that divert
resources away from security toward compliance.
A fragmented international digital policy landscape will
likely have the most significant impact on startups and small-
and medium-sized companies with limited resources to comply
with ambiguous requirements and pay-for-views in countries like
China with excessive paperwork associated with EU policies.
And emerging technologies, like artificial intelligence and
block chain, are also hindered by regulatory uncertainty. For
example, the data minimization, automated decisionmaking, and
right to erasure provisions of the GDPR could create barriers
to the commercial development of these important technologies.
In light of these trends, I would like to end by outlining
four areas for congressional focus.
The first is to work on establishing alliances,
particularly with like-minded countries, to counter technology
restrictions as a condition to accessing foreign markets. We
are more effective with strong partners and allies.
Second, the U.S. must lead in the development of
international norms, best practices, and standards for
cybersecurity, privacy, and cross-border data flows, as well as
emerging technologies, such as AI and block chain, because
rules for those technologies do not yet exist.
Third, the U.S. must work to align and harmonize policies
to avoid global fragmentation. We cannot afford to be missing
from the important international forums on additional policy
issues as China and other countries are actively seeking to
rewrite the rules of the Internet that are fundamentally at
odds with open markets and democratic values.
And, finally and perhaps most immediately, Congress should
act to protect transatlantic border data flows under the
Privacy Shield by making the ombudsperson a permanent position
within the State Department.
It should also act swiftly to confirm the nominees for the
Privacy and Civil Liberties Oversight Board, which plays a
critical role in fulfilling the requirements under the Privacy
Shield.
Mr. Chairman, thank you for your leadership in holding this
hearing and for encouraging a dialogue. I look forward to
taking questions.
[The prepared statement of Ms. Zheng follows:]
Prepared Statement of Denise E. Zheng, Vice President, Policy,
Business Roundtable
Chairman Wicker, Ranking Member Schatz, Members of the
Subcommittee, thank you for the opportunity to testify on behalf of
Business Roundtable regarding international policies related to the
Internet and digital platforms--more broadly referred to as
``information and communications technology'' (ICT)--and their impact
on competitiveness, investment, and innovation.
Business Roundtable is an association of chief executive officers
(CEOs) of the world's largest multinational companies. Collectively,
our member companies employ more than 16 million people across all
sectors of the economy. It is a commonly held misperception that ICT
policies only affect the technology industry. The reality is that few
companies can compete and succeed today without making extensive and
effective use of data and digital platforms.
Recently there has been a rapid increase in the number of complex,
conflicting, and uncoordinated ICT public policies from governments
around the world. This trend undermines global digital innovation and
trade by creating policy and regulatory fragmentation, business
uncertainty, overwhelming compliance costs, and other unintended
consequences.
Trends in Global ICT Policy
Governments have a responsibility to develop ICT policies that
provide for national security, protect public safety, and ensure
individual privacy. But too often, countries are defining security,
privacy, and safety in an overly broad manner, resulting in a wide
array of laws and regulations that erect barriers to an interoperable
and open global internet. In some cases, nations impose ICT policies
for the stated purpose of cybersecurity and privacy, even though the
policies are designed primarily to keep U.S. companies out and protect
local industries. In other cases, the global patchwork of various
cybersecurity and privacy requirements creates a compliance nightmare
that is cumbersome and costly for large companies and impossible for
small companies and startups.
The European Union (EU) and China are currently the most active
players in developing and implementing ICT policies. But India, Russia,
South Korea, and other Asian and Latin American countries are ramping
up efforts to develop and enforce a wide range of cybersecurity,
privacy, and data localization policies. Already at least 34 different
countries have data localization requirements, while approximately 120
countries have data privacy laws and many more countries are
considering legislation in this area.\1\
---------------------------------------------------------------------------
\1\ Pfeifle, S. (2017, September) Is the GDPR a data localization
law? Retrieved from https://iapp.org/news/a/is-the-gdpr-a-data-
localization-law/
---------------------------------------------------------------------------
The following sections highlight a selection of ICT policies that
have a significant impact on Business Roundtable members and other
U.S.-based companies.
Data Localization
China has the most aggressive data localization laws. China's
Cybersecurity Law that went into effect in June 2017 requires all
``important information'' and ``personal information'' to be stored in
China. Under this regime, ``network operators'' are prohibited from
transferring covered data outside of China without undergoing a
government-mandated security assessment. As currently defined, the law
could cover any entity that owns or operates a computer network and
applies to a vast and ambiguous assortment of different types of data.
China is not the only country with data localization requirements:
India, Russia, Nigeria, and South Korea all have enacted laws that
prohibit the transfer of a range of business and consumer data outside
of their respective jurisdictions. In some cases, these laws mandate
physical servers be installed in-country as a condition of doing
business.
This growing number of localization requirements is already proving
costly for many industry sectors, including health, retail, finance,
insurance, energy, manufacturing, and technology. These mandates are
making it increasingly difficult for U.S. companies to do business in
key markets such as Asia and Latin America.
Cybersecurity
Cybersecurity regulations are expanding globally. For example,
China, which has some of the most heavy-handed regulations, requires
companies in industries deemed to be ``critical'' to demonstrate that
their technology systems are ``secure and controllable.'' Such
companies must undergo inspections and assessments of company networks
and are mandated to disclose computer program source code to the
Chinese government for review. The European Council recently proposed a
new cybersecurity regulation (the EU Cybersecurity Act) that would
create a security certification regime for ICT products and services.
If the law takes a mandatory, rather than voluntary, approach, it could
have the effect of dictating how American firms design, develop,
manufacture, and deliver ICT products and services.
The financial services sector, in particular, faces an expanding
number of international cybersecurity regulations, with more than 40
different international cybersecurity policies already in place,\2\
ranging from risk assessments to penetration testing to incident
reporting. In this environment, companies must reconcile competing and
redundant cybersecurity regulations that divert significant resources
from truly effective cybersecurity measures toward time-consuming
compliance activity, such as certifications and questionnaires.
---------------------------------------------------------------------------
\2\ World Bank Group, Financial Sector Advisory Center (2017,
October) Financial Sector's Cybersecurity: A Regulatory Digest.
Retrieved from http://pubdocs.worldbank.org/en/5249
01513362019919/FinSAC-CybersecDigestOct-2017-Dec2017.pdf
---------------------------------------------------------------------------
Privacy
In May 2018, the EU's General Data Protection Regulation (GDPR)
went into effect and established the most expansive privacy regime in
the world. The GDPR covers nearly all types of personal data and
affects business-to-consumer as well as business-to-business firms. The
GDPR has an extraterritorial application meaning that its scope covers
any company, regardless of whether it is based in the EU or not, that
meets the law's threshold requirements for processing personal data of
individuals in the EU.
This means that some companies, such as those that cannot justify
spending the resources necessary to demonstrate compliance with the
GDPR, are forced to take steps to block EU-based users from using their
products and services, including from visiting their websites, to avoid
facing steep fines of up to 20 million euros or 4 percent of annual
revenue, whichever is higher. The GDPR limits transfers of personal
data outside of the EU unless certain adequacy standards are met; it
also requires companies to notify EU and national regulators of
security breaches of personal data within 72 hours of the incident.
The EU is actively promoting the adoption of the GDPR as a model
for privacy regulations in other countries. In addition, Brazil and
other Latin American countries are proposing or have enacted laws that
adopt many aspects of the GDPR.
The risk of domestic regulatory fragmentation within the United
States for privacy is also high. In addition to several existing
sector-specific Federal and state privacy regulations, California
recently passed a consumer privacy bill that applies broadly across
many sectors. Numerous other data privacy legislative proposals are
pending in state legislatures that, if passed, would further increase
the complexity of privacy regulations across the United States. That is
why Business Roundtable is working to develop privacy principles that
strengthens protections for consumers but also preserves innovation in
the digital economy.
Government Access to Data
The growth of digital communications over the past two decades has
created new challenges as well as opportunities for law enforcement.
For instance, several countries have sought to restrict the use of
encryption or imposed data localization mandates to facilitate law
enforcement's access to data for investigative purposes or government
surveillance.
Both China and Russia mandate companies decrypt and localize data
for law enforcement and surveillance. In 2016, Russia passed a law that
explicitly required Internet service providers to provide backdoor
access to encrypted data and store all consumer communications for six
months. France, the United Kingdom, Brazil, India, and other countries
have also enacted laws that regulate the use of encryption in digital
communications.
Not only do these laws erode security and privacy on the internet,
they also have a significant impact on the interoperability of digital
platforms across borders and undermine consumer trust in technology.
Consequences of Uncoordinated International ICT Policies
The current state of global ICT policy is complex, chaotic, and
fragmented and could undermine growth and innovation in the digital
economy and emerging technologies.
Fragmentation and Legal Uncertainty
As CEOs that run the largest American companies, Business
Roundtable members operate in many jurisdictions and serve customers
around the globe. The international regulatory environment for ICT
policy is forcing companies across all sectors to reconcile
overlapping, duplicative, and sometimes conflicting requirements. The
legal uncertainty that results from policy and regulatory fragmentation
undermines investment, growth, and job creation. Ambiguous requirements
and inconsistent enforcement in some countries increases the risk of
doing business and can lead companies to reject, defer, or reconsider
investments.
Compliance Costs
The GDPR alone is estimated to cost Fortune 500 companies a
combined $7.8 billion to comply, or about $16 million per firm.\3\
Another survey found that large organizations of 25,000 or more
employees each are budgeting an average of $30 million to comply with
the GDPR. Much of the cost is related to ``check the box'' exercises
that demand significant investment from companies regardless of their
risk profile. Some companies have decided to discontinue offering
products and services in the EU because compliance costs are so high
that they can no longer justify being in the market. It is not unusual
for those surfing the web in the EU to come across websites from
vendors that have nothing more than a note saying that due to GDPR
requirements, the site cannot be accessed.
---------------------------------------------------------------------------
\3\ IAPP-EY (2017) IAPP-EY Annual Privacy Governance Report 2017.
Retrieved from https://iapp.org/news/a/survey-fortune-500-companies-to-
spend-7-8b-on-gdpr-compliance/
---------------------------------------------------------------------------
Data localization requirements can impose significant compliance
burdens that raise the cost of hosting data by 30 to 60 percent for
companies that are covered by such requirements.\4\ A study done by the
European Centre for International Political Economy estimates that
enacted or proposed data localization mandates in China could cost up
to 1.1 percent of its GDP and the cost of data localization
requirements in the EU could cost nearly 0.4 percent of its GDP.\5\
---------------------------------------------------------------------------
\4\ Leviathan Security Group (2015). Quantifying the Cost of Forced
Localization. Retrieved from https://static1.squarespace.com/static/
556340ece4b0869396f21099/t/559dad76e4b0899d97726a8b/1436396918881/
Quantifying+the+Cost+of+Forced+Localization.pdf
\5\ European Centre for International Political Economy (2016
March). Unleashing Internal Data Flows in the EU: An Economic
Assessment of Data Localisation Measures in the EU Member States
Retrieved from http://ecipe.org/app/uploads/2016/12/Unleashing-
Internal-Data-Flows-in-the-EU.pdf
---------------------------------------------------------------------------
Unintended Consequences
A fragmented international ICT policy landscape will likely have
the most significant and adverse impact on startups and small- and
medium-size companies with limited resources to navigate ambiguous
requirements and opaque reviews in countries like China or excessive
paperwork associated with complying with EU policies. These compliance
costs will make it more difficult for such promising and innovative
companies to thrive and expand.
Emerging technologies such as artificial intelligence and
blockchain are also hindered by regulatory uncertainty and are the next
likely targets for policy and regulatory fragmentation. The data
minimization, automated decision-making, and ``right to erasure''
provisions of the GDPR can create barriers to the commercial
development of important emerging technologies which improve and
innovate new products and services for consumers. I will give you two
specific examples of this: First, the GDPR imposes restrictions at
every stage that a company collects, processes, uses, and retains
personal data, and the impact of these restrictions on the development
of machine learning tools is uncertain. Some companies may decline to
integrate machine learning into their business to avoid such hurdles.
Second, companies using blockchain and distributed ledger systems,
technologies rooted in the notion that information should not be
unilaterally amended or deleted from networks, will face difficulty in
responding to data subject requests, authorized by the GDPR, to amend
and delete their own data.
Recommendations
Congress has an important role in creating and fostering a global
policy environment for an open, interoperable, and global Internet and
to promote the continued economic growth of the digital economy. To
that end, Business Roundtable recommends the following actions:
Establish Alliances with Like-Minded Countries to Counter
Protectionist ICT Policies. The U.S. Government should build
alliances with like-minded countries to counter technology
restrictions, protectionist cybersecurity and data localization
requirements, and requirements for businesses to transfer
technology and intellectual property as a condition to
accessing foreign markets.
Lead in Development of International Norms, Best Practices,
and Standards for ICT. The U.S. Government and U.S. companies
should lead in developing norms, best practices, and standards
for the Internet and digital platforms. Areas of focus include
cybersecurity, privacy, and cross-border data flows. At the
same time, emerging technologies such as artificial
intelligence, autonomous vehicles, blockchain, Internet of
things, and robotics require serious attention, because rules
do not yet exist.
Seek to Align or Harmonize Requirements to Avoid Global
Fragmentation. In the face of an already fragmented
environment, the U.S. Government should play a leadership role
to align or harmonize where possible existing ICT policies,
regulations, and standards globally, and maintain that same
approach for emerging technologies to avoid costly
fragmentation. The United States cannot afford to be missing
from important international forums on ICT issues, as China and
other countries are actively seeking to rewrite the rules of
the Internet and digital economy that are fundamentally at odds
with open markets and democratic values.
Protect Transatlantic Cross-Border Flows. Congress should
act to protect the EU-U.S. Privacy Shield by making the Privacy
Shield Ombudsperson a permanent position of the U.S. Department
of State. It should also act swiftly to confirm the nominees
for the Privacy and Civil Liberties Oversight Board, which
plays a critical role in fulfilling the requirements of the EU-
U.S. Privacy Shield.
Mr. Chairman, Ranking Member Schatz and Members of the
Subcommittee, thank you for the opportunity to present Business
Roundtable's views on information and communications technology and
their impact on competitiveness, investment, and innovation. The global
policy environment around ICT represents a serious concern to leaders
of these American companies that drive economic growth and job creation
in the United States and across the world.
Senator Wicker. Thank you very much.
Mr. Painter.
STATEMENT OF CHRISTOPHER M.E. PAINTER,
COMMISSIONER, GLOBAL COMMISSION ON
THE STABILITY OF CYBERSPACE
Mr. Painter. Chairman Wicker, Ranking Member Schatz,
members of the Subcommittee, it is a pleasure to be here today
to discuss the impact of global Internet governance on American
businesses, end users, and the U.S. policy of promoting and
maintaining an open, interoperable, and secure Internet.
For over 26 years, I have devoted my life to cyber and
Internet issues, including, most recently, serving as the first
coordinator for cyber issues at the Department of State. In
that role, I worked with components across the department, the
interagency, and outside stakeholders to advance the U.S.
vision of cyberspace and combat both technical and policy
challenges.
I'll focus today on some of the policy challenges and
recommendations to address them.
First, it's important to note that the policy threats we
face, though distinct, are often interrelated and have
economic, human rights, and security elements. For example,
when China claims absolute sovereignty over its cyberspace and
erects a digital wall around its territory in the name of
security that has profound economic and human rights
implications.
It is vital, therefore, that our response to these
challenges not be left silent but be coordinated. We need to go
to the full range of departments, agencies, and other
stakeholders to advance an integrative and strategic U.S.
policy.
Second, cyber and Internet issues are now being debated in
virtually every country and every international and regional
organization. Indeed, I believe we've reached an inflection
point where the issues discussed and the decisions reached in
these multiple forums will have a major impact on the future of
the Internet and cyberspace.
Accordingly, advancing the U.S. vision of cyberspace,
including U.S. commercial interests, requires unprecedented
U.S.-international engagement and strategic U.S. leadership.
Among the many policy challenges we face are threats by
repressed regimes to replace the system of multi-stakeholder
Internet governance with one that is driven by government-only
multilateral bodies, in part to control content and curtail the
free flow of information, threats posed by China, Russia, and
others to online freedom to have both negative human rights and
economic impacts, mandatory data localization requirements that
are not scalable or economically practicable and are often used
by repressive governments to help monitor and control their
citizens, and countries and multilateral bodies around the
world enacting or considering regulatory policy or legal
regimes dealing with some aspect of cyberspace, including
online privacy, cybersecurity, market access, and emerging
technology that conflict with the U.S. values and interests or
risk creating conflicting regimes that fragment the Internet.
And, finally, threats by nation states, organized criminal
groups, and other bad actors that threaten to undermine our
confidence in the Internet and network technologies and strike
at the very core of our economy and democracy.
My overarching recommendation to address these challenges
is for the U.S. to step up its international engagement on
these issues and make them a true national priority. This
requires enhanced structure of resources and a whole of
government cross-cutting strategy.
On structure, I applaud the continued efforts of my former
colleagues at State, Commerce, and other agencies, but I
believe those efforts have been hampered by the lack of a
sufficiently high-level office at the State Department and the
recent abolition of the cyber coordinator position at the White
House.
I commend the House and Senate efforts to restore,
strengthen, and institutionalize my former office in the Cyber
Diplomacy Act, and I'm particularly pleased that these efforts
were bipartisan, reflecting the bipartisan nature of most of
these issues.
In the past, necessary whole of government coordination on
these cross-cutting issues has been significantly boosted by
the cyber coordinator position of the National Security
Council. The loss of that high-level position, coupled with at
least the temporary demotion of my prior office, complicates
interagency coordination and also sends an unfortunate signal
to both our friends and our adversaries that the Administration
is not really prioritizing these issues.
Resources are also vital. This, importantly, includes
funding for capacity-building that was severely cut last year.
Capacity-building includes working with foreign governments on
aspects of Internet governance or regulatory policy, helping
countries enact appropriate laws and strategies, and working
with countries to boost their ability to combat cyber crime and
have strong cyber-security capabilities.
For a relatively small amount of money, targeted capacity-
building not only helps the U.S. by helping other countries
gain the ability to work with us, but it also helps win the
support of developing countries for our vision of the Internet
and cyberspace.
It's also important for the private sector, civil society,
and other stakeholders to continue to engage in these efforts
and enhance their participation. Though many companies and
civil society groups are already making valuable contributions
in a variety of international forums, given what is at stake,
we must find ways to help increase participation.
Finally, it is important that the U.S. has a high-level
cross-cutting integrated strategy that leverages all relevant
government agencies, outside stakeholders, and like-minded
countries to deal with the many challenges we face
internationally and help to direct and prioritize our
engagement.
I make a number of other suggestions in my written
testimony, including strengthening multi-stakeholder
institutions, including the Internet Governance Forum, showing
leadership on privacy and other Internet policies, addressing
data localization through, among other things, the CLOUD Act,
and supporting cybersecurity/cyber crime and stability efforts,
but all are dependent on an effective and strategic
international engagement plan.
I look forward to your questions.
[The prepared statement of Mr. Painter follows:]
Prepared Statement of Christopher M.E. Painter, Commissioner, Global
Commission on the Stability of Cyberspace
Chairman Wicker, Ranking Member Schatz, members of the Senate
Subcommittee on Communications, Technology, Innovation and the
Internet, it is a pleasure to appear before you today to discuss the
impact of global Internet governance and policies on American
businesses, end users and the U.S. policy of promoting and maintaining
an open, interoperable, secure and reliable communications and
information infrastructure that is the foundation for economic
prosperity, innovation, social growth and the exercise of human rights.
For over twenty-six years I have devoted my life to cyber and Internet
issues, serving as a Federal prosecutor specializing in cybercrime, a
senior official at the Department of Justice and the FBI, a Senior
Director of Cybersecurity Policy at the National Security Council and,
most recently, as the first Coordinator for Cyber Issues at the
Department of State. I have continued to work on these issues since
leaving the Federal Government, among other things, serving as a
Commissioner on the Global Commission for the Stability of Cyberspace
and a Board member of the Center for Internet Security.
My role as Coordinator for Cyber Issues at the State Department was
the first such office established in a foreign ministry. There are now
over twenty-five such offices in foreign ministries around the globe.
In recognition of the cross-cutting and interdependent nature of cyber
and Internet issues--including economic, human rights and security
issues--my former office had a broad mandate, and worked with
components across the Department, the interagency, the private sector,
civil society and other stakeholders, to advance the U.S. vision of an
open and secure cyberspace. In my six and a half years as Coordinator,
I worked to help realize the many benefits of cyberspace while
combatting the ever mounting technical and policy threats we face. For
purposes of this hearing I will focus on some of the policy challenges,
including threats to the multi-stakeholder system of Internet
governance, threats to freedom of expression and other human rights
online, challenges relating to cybersecurity and stability, and the
threat of inconsistent or misguided regulatory or policy regimes that
threaten to fragment the global Internet and undermine its economic and
social value. I will also make some recommendations to address these
challenges.
First, I would like to make some general observations. The policy
threats we face, though distinct, are also inter-related and have
economic, human rights and security elements. For example, when China
claims absolute sovereignty over its cyberspace and erects a digital
wall around its territory in the name of security, that has profound
economic and human rights implications. Similarly, when a country
enacts a regulatory regime for cybersecurity, privacy or some other
goal, it could, intentionally or unintentionally, significantly affect
the free flow of information over the Internet and act as market
barrier. It is vital therefore that our response to these challenges
not be siloed but be coordinated--bringing together the full range of
departments, agencies and other stakeholders to advance an integrated
and strategic U.S policy. Second, cyber and Internet issues are now
being debated in virtually every country and every international and
regional organization (including the G7, G20, OECD, ITU, OAS, ASEAN,
OSCE and multiple committees in the UN devoted to security, human
rights, economic and development issues). Indeed, I believe we have
reached an inflection point, where the issues discussed and the
decisions reached in these multiple forums will have a major impact on
the future of the Internet and cyberspace--determining whether we can
all continue to benefit from this incredible technology based on the
free flow of information and multi stakeholder governance or whether
the growing technical and policy threats will lead to fragmentation and
undermine its incredible potential.
Accordingly, advancing the U.S. vision of cyberspace, including
U.S. commercial interests, requires unprecedented U.S. international
engagement and strategic U.S. leadership. Both structure and resources
need to be addressed to enable the level of engagement that is now
required.
Challenges
Though I won't attempt to catalogue the all of the many policy
challenges we face in cyberspace, some of those relevant to this
hearing include:
Maintaining Multi-stakeholder Internet Governance
The U.S. has long advocated a multi-stakeholder approach to
Internet governance that is characterized by a transparent, bottom-up,
consensus driven process in which all stakeholders--including
governments, the private sector, civil society, the technical community
and academia--participate on an equal footing. This relatively novel
approach is responsible for the tremendous growth of the Internet
around the world and has enabled the free flow of information, vast
commercial opportunity, innovation, resilience and robust technical
evolution. Among others, the organizations responsible for the
technical operation of the Internet and multi stakeholder discussions
of policy issues include the International Corporation for Assigned
Names and Numbers (ICANN), the Internet Engineering Task Force (IETF)
and the Internet Governance Forum (IGF). Though these and other
institutions can and should be further strengthened, through, for
example, more inclusive participation, they have served the community
well. Nevertheless, for many years, a number of more repressive
countries, and Russia and China in particular, have sought to impose
greater state control on the Internet and have pushed for an intra-
governmental body, such as the United Nations, to take over technical
governance and Internet policy. In part, their push for intra-
governmental control is based on their desire to control information
and expression that they believe can threaten regime stability.
Imposing a multilateral government control mechanism would
fundamentally change the Internet as we know it, and would seriously
affect the free flow of information, human rights online and thwart
innovation and growth. Fortunately, the U.S. working with like-minded
partners around the world, has succeeded so far in pushing back against
these efforts so far but they are likely to continue to be raised in
the future. For example, the Plenipotentiary of the International
Telecommunications Union, a meeting that occurs every four years to
chart the ITU's mandate, is happening this fall. The ITU is a UN body
that is made up of country representatives who largely have
telecommunications expertise and, although other stakeholders can
participate in discussion, they are excluded from decisions--a far cry
from a multi-stakeholder body. In past meetings, some governments have
tried to expand the ITU's scope to include technical Internet
governance and the ITU has often itself has tried to expand its role
beyond its area of expertise to deal with a number of cyber and
Internet policy issues. The U.S. must continue to be on high alert to
these and other efforts and strategically work with other countries and
stakeholders to thwart attempts to undermine the multi-stakeholder
approach that has served us well.
Ensuring Freedom of Expression and Human Rights Online
The global Internet has enabled unprecedented communication and
expression and that free flow of information has had tremendous human
rights and economic benefits. Yet despite the economic and social
benefits of an open Internet, some states see that openness, as
discussed above, as a threat to regime stability and seek to curtail it
by censorship, repression and restricting Internet access. The Freedom
on the Net Report 2017, published by Freedom House, details a sobering
picture of declining Internet freedom around the world and the actions
of many repressive countries to control and manipulate speech and
content. In addition, network shutdowns are a growing problem around
the world where a government restricts the public's access to the
Internet during an election or other political event. Some
cybersecurity policies can also have human rights implications. While
the U.S. encourages countries to have cybersecurity strategies that
fully incorporate human rights and economic interests, some states,
like China and Russia have ``cybersecurity'' policies and laws that are
aimed at controlling discourse and dissent. These countries both claim
``absolute sovereignty'' in cyberspace and do not recognize that
international human rights transcend international borders. Restrictive
policies curtailing the free flow of information have both negative
human rights and economic impacts. The U.S. has been a leader in
advancing Internet freedom in the past including helping found the
Freedom Online Coalition, a group of thirty countries dedicated to
advocating for these issues in multiple forums around the world. The
U.S. must continue to lead to guarantee both human rights and economic
benefits of the Internet.
Fighting Data Localization
A number of countries have enacted or are considering data
localization mandates that require data belonging to residents,
companies or entities of that country to be stored in that country.
Though these laws or policies arise in part from concerns about
surveillance or difficulty in accessing data for law enforcement
investigations when stored abroad, and are often described as privacy
or security measures, they instead, in many cases, act as trade
barriers and mechanisms to enable greater state control of content.
Data localization requirements, essentially mandating that U.S. and
other global providers construct data centers in localities around the
world, are not scalable or economically practical, and are particularly
anticompetitive to new or smaller players. These mandates also
completely undercut many of the benefits of the cloud architecture
including increased efficiency, access and the possibility of greater
security. Moreover, some states, like Russia, enact such requirements
to better control dissent. Of course, there are legitimate concerns
that some states have raised with respect to access to data. When data
is stored in the U.S., our electronic privacy laws make access for a
foreign government difficult in a law enforcement investigation even if
the crime and participants all were in that country. The U.S. has
attempted to address this recently through the Clarifying Lawful
Overseas Use of Data (CLOUD) Act. Though negotiating bilateral
agreements pursuant to this law should be a priority, the U.S. must
also continue to push back against data localization in all of its
engagements.
Addressing Potentially Conflicting, Misguided or Unfair Regulatory and
Legal
Regimes
Countries and multilateral bodies around the world are enacting or
considering regulatory, policy or legal regimes dealing with some
aspect of cyberspace and the Internet. Among other things, these
frameworks attempt to address online privacy, cybersecurity, market
access and emerging technology such as the Internet of Things (IoT).
Though some of these measures are meant to address real concerns in a
country or region, they often have unintended (and sometimes intended
effects) that extend well beyond their borders. In some cases, if the
locally developed standard is made the global default, there is a risk
of impacting freedom of speech or other strongly held U.S. values. In
other cases, there is the risk of a multiplicity of conflicting regimes
that serve to fragment Internet commerce and create a confusing
landmine for global companies. And in some cases, the policies are
explicitly aimed at encouraging ``indigenous innovation'' and act as
market access barriers.
For example, many of China's laws and regulations, including its
Cybersecurity Law, are deliberately vague but have broad implications
for data localization, mandatory testing, cooperation with Chinese
authorities, forced technology transfer and market access in China.
Though China presents this and other laws and policies as best
practices for cybersecurity, it can act as a significant impediment to
U.S. and other companies doing business in China, as well as serious
human rights concerns, and will create even further barriers if adopted
by other countries as a best practice.
The European Union has been addressing a number of issues in
cyberspace including privacy and cybersecurity. The General Data
Protection Regulation (GDPR) is now the law in the E.U. Among other
things, it creates privacy related requirements for entities processing
E.U. citizen data that extends to most U.S. Internet and global
companies. Yet, extraterritorial application of the GDPR may create
conflicting obligations for U.S. companies. For instance, the GDPR
enshrines the ``right to be forgotten'' that mandates that E.U.
individuals can force service providers to remove certain information
about themselves. However, such a mandate may well conflict with the
First Amendment right of freedom of expression and unduly infringe
public access. In cybersecurity terms, though the GDPR creates a
standard for cybersecurity protections of personal data, and has a
carve out for data that must be shared for network defense purposes, it
has had an unintended consequence in potentially rendering WHOIS, an
important tool used by industry and law enforcement to combat online
crime, less accessible and useful. The E.U. has also been working on a
Cybersecurity Act that mandates a mostly voluntary certification regime
for Internet connected devices. This law has evolved significantly with
a lot of U.S. and other industry input and could end up becoming a de-
facto global standard.
Other countries and regional organizations are also addressing a
myriad of other issues including cyber breach reporting and potential
policies around the Internet of Things. Unless these efforts are
compatible, or at least interoperable, and unless they adopt a risk
based approach, they will pose significant challenges for U.S. global
entities.
Promoting a Secure and Stable Cyber Environment
The future viability of the Internet as a platform for commerce and
social good depends on that platform's security and the long term
stability of cyberspace. Threats by nation states, organized criminal
groups and other bad actors threaten to undermine government, business,
consumer and individual confidence in the Internet and networked
technologies. Moreover, a number of recent cyberattacks and intrusions
amply demonstrate that malicious cyber activity can have large economic
impact.
With respect to cybercrime, consistent laws and strong enforcement
are paramount. The U.S. has championed the Budapest Convention on
Cybercrime which creates consistent substantive laws and procedures.
Sixty countries have now joined that Convention. Russia has long
opposed Budapest and, instead, is set to promote a new cybercrime
convention in the United Nations this fall. A new convention will take
many years to negotiate, be less strong than the Budapest Convention
and will likely seek to deal with content issues that are protected in
the U.S. More importantly, if countries wait for a new convention, it
will undermine the real need for every country to address this issue
now.
On cybersecurity, it is in the U.S. interest for countries to have
comprehensive national strategies that are drafted with multi
stakeholder input and take into account security, economic and human
rights perspectives and for countries to have institutions and the
ability to cooperate with the U.S. in sharing information and
addressing online threats. With respect to both cybercrime and
cybersecurity, targeted capacity building is important to building the
capability of other countries to work with us in addressing online
threats.
Malicious nation-state activity, such as Russian interference with
our elections and democratic processes around the world or their
sponsorship of the economically destructive NotPetya ransomeware worm,
requires both a short term deterrence strategy and a long term effort
to achieve cyber stability. On deterrence, we need to do a much better
job of imposing timely and credible costs on adversaries, particularly
nation states, who do us harm in cyberspace. On stability, it is
important that we continue to advance internationally a framework of
cyber stability that includes voluntary rules of the road, or norms,
for nation state conduct. The U.S. has made a good deal of progress on
that front, including getting agreement from many countries on
voluntary norms that countries should not attack critical
infrastructure in other countries in peacetime and should not steal
trade secrets or intellectual property through cyber means to benefit
their commercial sector. The Commission for the Stability of
Cyberspace, on which I serve as a Commissioner, is a multi-stakeholder
group that has sought to advance this work, including by proposing two
norms: 1. That state and non state actors should not take actions that
substantially damage the general availability of the public core of the
Internet and 2. That state and non state actors should not allow cyber
operations intended to disrupt the technical infrastructure supporting
elections. Getting other countries to embrace these voluntary norms and
a larger stability framework that includes the application of
international law in cyberspace and certain confidence building
measures, will pay both national security and economic dividends but
more needs to be done.
Some Thoughts on the Way Ahead
Increased Coordinated International Engagement
Given that every country and virtually every international and
regional multilateral organization is now dealing with some aspect of
cyberspace or the Internet, my overarching recommendation is that it is
imperative that the U.S. Government and U.S. stakeholders step up
diplomatic engagement on these issues around the world and that this is
made a true national priority. This recommendation is also echoed in a
number of the submissions to the recent Notice of Inquiry on
International Internet Policy Priorities issued by the National
Telecommunications and Information Administration (NTIA). To up our
game on international engagement requires enhanced structure,
resources, and a whole of government cross-cutting strategy.
I applaud the continued efforts of my former colleagues at State,
Commerce and other agencies, but I believe those efforts have been
hampered by the lack of a sufficiently high-level office at the State
Department and the recent abolition of the Cyber Coordinator position
at the White House. On the first, as I noted above, my former office,
among many other things, facilitated coordination across the government
and helped provide high level representation with other governments to
advance U.S. policies on a range of issues. I commend the House and
Senate efforts to restore, strengthen and institutionalize my former
office. The House passed the Cyber Diplomacy Act several months ago and
the Senate Foreign Relations Committee recently voted a companion bill
out of committee. I am particularly pleased that these were bi-partisan
efforts reflecting the bi-partisan nature of most of these issues.
Hopefully, the Department of State will take action on this matter
soon.
Given the cross-cutting nature of these issues, international
engagement on them requires a whole of government approach that
leverages not just the State Department and the Commerce Department but
the full range of U.S. agencies in a coordinated and strategic way. In
the past, that coordination has been significantly boosted by the Cyber
Coordinator at the National Security Council. Though the coordinator
sat in the NSC and had a focus on security issues, he also brought
together and worked with other parts of the White House, including the
National Economic Council, the Office of Management and Budget, the
Office of Science and Technology Policy, and the interagency on a range
of policy issues including Internet governance. Indeed, when the
position was first suggested in the Cyberspace Policy Review in 2009,
it was to be dual hatted between the NSC and NEC to fully account for
the wide range of issues in cyberspace. In any event, the loss of that
high-level position, coupled with the at least temporary demotion of my
prior office, complicates interagency coordination and also sends the
unfortunate signal to both our friends and our adversaries that the
Administration does not really prioritize these issues.
Resources are another important consideration. For example,
assuming my old office is resurrected, it still needs sufficient
personnel and funding to be effective. This importantly includes
funding for capacity building that was severely cut last year. Capacity
building can take many forms, including working with foreign
governments and emerging leaders on aspects of Internet governance or
regulatory policy, helping countries enact appropriate laws and
national strategies, and working with countries to boost their ability
to combat cybercrime and have strong cybersecurity policies and
institutions. For a relatively small amount, targeted capacity building
not only helps the U.S. by helping other countries gain the
capabilities to work with us, but it also has the benefit of helping to
win the support of developing countries for our vision of the Internet
and cyberspace. Convincing these countries that we want to help and
that an open, interoperable and secure Internet benefits them, is
particularly important in enlisting their support in the growing array
of multi-lateral bodies that are now addressing Internet and cyber
issues.
It is also important for the private sector, civil society and
other stakeholders to continue to engage in these efforts and enhance
their participation. Many companies and civil society groups already
work in a variety of international forums and their contributions are
invaluable. And, I fully understand there are significant resource and
time constraints both for the private sector and especially civil
society given the number of places discussions and decisions are taking
place. Nevertheless, given what is at stake we must find ways to help
increase participation.
Finally, it is important that the U.S. has a high-level cross-
cutting, integrated strategy that leverages all relevant government
agencies, outside stakeholders and like-minded countries to deal with
the many challenges we face internationally and helps direct and
prioritize our engagements. The U.S. International Strategy for
Cyberspace issued in 2011 helped guide and integrate U.S. policy and
agency actions across economic, security, and human rights issues. The
overarching goal was that ``[t]he United States will work
internationally to promote an open, interoperable, secure, and reliable
information and communications infrastructure that supports
international trade and commerce, strengthens international security,
and fosters free expression and innovation. To achieve that goal, we
will build and sustain an environment in which norms of responsible
behavior guide states' actions, sustain partnerships, and support the
rule of law in cyberspace.'' Much has happened since then and there are
many new challenges. Although the current Administration, by Executive
Order, mandated a number of important reports and recommendations from
agencies largely related to cybersecurity, no larger or comprehensive
strategy that, among other things, weaves those recommendations
together, has yet been released.
Strengthening Multi-stakeholder Internet Governance Institutions
There are a number of efforts underway to strengthen existing
multi-stakeholder Internet Governance institutions to make them more
transparent, effective and inclusive that we should continue to
support. These efforts are important not only to make these
institutions more capable but also to insulate them from those
countries trying to impose intergovernmental control over the Internet.
In addition, sustained and increased participation by governments and
other stakeholders in these institutions is also important and
increases their legitimacy. Among other things, the U.S. Government
should work to sustain and strengthen the Internet Governance Forum.
The IGF provides a valuable forum for stakeholders around the world to
engage in discourse on the full range of Internet and cyber issues.
Although its mandate was extended for ten years just two years ago, it
has suffered from a lack of sustained funding, a decrease in attendance
by senior government officials and the private sector, and issues
related to its continuity from year to year. The U.S. is and should
continue to be an advocate for this forum but should also help sustain
and improve it. The U.S. has helped fund the IGF in the past and should
do so again now and encourage other contributions. The U.S. should also
encourage and help facilitate strong senior participation particularly
by senior U.S. officials and other senior stakeholders. Moreover, the
U.S. can play a key role in helping the IGF address any perceived or
actual shortcoming without making it a decisional body or fundamentally
changing its character.
Filling the Void and Showing Leadership
If the United States wants to drive the global conversation or have
its policies serve as a global standard it has to lead by example. That
has been done in the past when, for example, we made cyber issues a
diplomatic priority or when the National Institute of Standards and
Technology promulgated their Cybersecurity Framework in partnership
with industry and very effectively promoted it around the globe. Part
of this is the high level international engagement I discuss above but
part of it is promoting concrete alternatives. For example, with
respect to privacy, the Obama Administration proposed a Consumer
Privacy Bill of Rights and there was legislative action that was
started, though not completed, to put them into law. Affirmative
privacy legislation would help push back on misperceptions by some in
Europe that the U.S does not care about privacy and can serve as an
attractive alternative for countries who are now considering privacy
legislation of their own. Federal data breach legislation has also
languished for some time even though every state has their own version
of breach legislation and other countries are moving forward with their
own proposals. I am not suggesting legislation is the only way to show
leadership and any legislation needs to solicit stakeholder input and
balance potentially competing interests, but the U.S. needs to present
an affirmative vision and concrete alternatives to policies we don't
believe serve our interests or the interests of an open and secure
Internet.
Accelerate Negotiations under the CLOUD ACT
The CLOUD Act coupled with an executing bilateral agreement takes
away one of the traditional justifications for data localization.
Accordingly, accelerated negotiations of bilateral agreements under the
Act should be encouraged and resourced. Of course, the countries or
groups of countries with whom such agreements are negotiated must have
adequate due process and privacy protections and these agreements will
not prevent governments from mandating localization if they want to do
so to repress their citizenry or to impose a market barriers, but the
potential availability of these agreements can make a real difference
with a number of partners. In addition, work should continue and
resources should be allocated to streamline and speed up the Mutual
Legal Assistance process.
Promote Cybersecurity, Cybercrime and Stability Efforts to Increase
Trust and
Security
Although this may be beyond the jurisdiction of this Subcommittee,
programs designed to increase international efforts to combat
cybercrime and promote cybersecurity should be encouraged and resourced
as these programs make cyberspace more profitable and secure for our
businesses and safer for our citizens. This includes capacity building
efforts to ensure countries have strong laws, policies and
institutions; promotion of basic cyber hygiene measures; enhanced
operational information sharing enabling prosecutions and enabling
collective response to shared threats; and increased deterrence of
malicious state actors. Finally, the U.S. should continue to
demonstrate leadership on efforts to secure the long term stability of
cyberspace and engage with other countries and other stakeholders on
this important issue.
Thank you for the opportunity to testify today on this important
and timely issue, I look forward to your questions.
Senator Wicker. Well, thank you, all, for this very, very
fine testimony. It sounds like we've got some challenges and in
that regard, Secretary Chertoff, the NTIA recently issued a
Notice of Inquiry soliciting public comment on its
International Internet Policy Priorities.
In your testimony, you mentioned how so much of the
Internet's value is in its global nature. So how do we balance
the business needs for the free flow of data with the point you
make about the need to protect our freedom of action which
requires that we take greater ownership and control of our
data, even when it is accessible to others?
Secretary Chertoff. So I think, Mr. Chairman, you're
referring to something in my book there.
Senator Wicker. On Page 4 of your testimony.
Secretary Chertoff. Right. So here's what I think in terms
of----
Senator Wicker. By the way, how's your book doing? Here it
is.
Secretary Chertoff. There is it, yes. I think it's doing
well. You're reading it.
Senator Wicker. Hundreds of people are watching right now.
Secretary Chertoff. I do think that people do need to take
ownership of their data and they do need to have more control
over their data, particularly because so much is being
generated now that really if we don't have some mechanism to
assure that we have a say in what is done with it, we really
risk our freedom.
At the same time, I'm nervous, based on the testimony we've
heard up to now, that the European method tends to be a little
bit overly bureaucratic and overly heavy-handed in terms of
regulation.
To me, the solution is to recognize that certainly with
most of the world that shares Western values, we have a common
general approach and belief in the importance of individual
freedom and individual privacy and we should acknowledge that
and work in a cooperative way to develop a system of rules that
honors that fundamental objective but doesn't get so
particularistic and so heavy-handed that it actually creates
barriers to the free flow of information.
We've succeeded in doing this in other areas, particularly
with the Europeans, and to echo what my co-witnesses have said,
this does require consistent engagement by the U.S. Government
and by U.S. civil society with counterparts in other parts of
the world.
Senator Wicker. Dr. Layton, you specifically testified, ``A
popular misconception about the EU's General Data Protection
Regulation is that it protects privacy. It does not.''
Talk about that, and if we're going to try to negotiate
with the EU on tariffs and preferences, shouldn't the GDPR be
part of our negotiation?
Dr. Layton. Short answer, yes, absolutely. Just so you
know, the word ``privacy'' only appears about three times in
the entirety of the GDPR, and it's specifically their version
of data protection, and I think it's--so our--for example, you
can go to many countries in Europe where people's mobile phone
numbers are publicly available. Their tax returns are publicly
available. People swim naked in public places. So we have very
different conceptions of privacy.
What I would like to underscore is that the GDPR is
actually a geopolitical, not a humanitarian move. It is coming
after 10 years of economic malaise in the European Union. There
is deep dissatisfaction with Brussels. Less than 40 percent of
Europeans vote in the election. So this is a reaction to that
and I would say the Europeans that I know, they want
prosperity. They want to move forward.
The public opinion was not onboard with the heavy-handed
approach that the EU took.
Senator Wicker. I believe you said that it is not evidence-
based. Is that correct?
Dr. Layton. That is correct. The idea of an evidence-based
process would include a process of data and outcome. So in the
173 provisions, you've had something over a decade of GDPR
kinds of rules that have been in place and after a decade, what
we can see is that only 20 percent of Europeans even shop
outside their own country and only 20 percent of businesses are
online.
So the rules have not worked to increase trust in their own
online system and that was the whole idea, that they would have
a digital single market the way we do in the United States, and
these rules have not helped them to achieve those goals.
Senator Wicker. Your position is it's not good for
Europeans?
Dr. Layton. No.
Senator Wicker. Is it not for Americans either?
Dr. Layton. Absolutely. And just to share one last thing
that's just happened, the European Soccer Leagues, they have
now adopted a policy that they will not trade the soccer
players and they cannot disclose the information on their
injuries. So if you want to buy a particular soccer player,
trade them to your team, you're not allowed to know what
injuries they have.
So this is also hurdling back on them, governments, as
well. The European Governments are also liable and there's
abuse.
Senator Wicker. Very good. We'll probably take another
round, if we can.
Senator Schatz.
Senator Schatz. Thank you, Mr. Chairman. Thanks to all of
the testifiers.
I'll start with Mr. Painter. You were the State Department
Cyber Coordinator for 6 years and you described the importance
of the position kind of as a policy and in a way in the
abstract.
I'm wondering if you can give me some specific examples of
what you did that made a difference in terms of the governance
of the Internet.
Mr. Painter. Sure. Among other things, I think really
central to all of this is showing U.S. leadership and building
alliances with other like-minded countries, so that we can push
back on a lot of the things we talked about today, particularly
attempts by Russia, China, other countries to take over the
Internet or to impose multilateral control over it in venues
like the ITU, the UN, and other places.
Getting that coalition of countries and having that
constant interaction with them was key to doing that and that
was the U.S. taking the lead. We weren't sitting on the back
bench. I think that was very important.
Also, incorporating issues around Internet governance,
economic issues, human rights issues in every dialogue we had
with every country. We had all these whole government dialogues
with a number of other countries and that raised these issues,
so they weren't stove-piped in one area or another.
We also helped launch the Freedom Online Coalition, which
is a group of about 30 countries, to promote freedom online and
also working in all these different international venues, and
we created and advanced a framework for cyber stability that
included the application of international law, norms of
behavior, and cyberspace confidence-building measures which
again addresses some of the instability issues of the Internet
because the Internet as a platform needs to be secure to really
underlie all the commerce that we're hoping that happens
there,----
Senator Schatz. So----
Mr. Painter.--and a number of other things.
Senator Schatz. So we should re-establish the position in
China, the statute. What else should we be doing?
Mr. Painter. So I think there are a number of other things
that we can be doing to promote this.
I mean, one is, you know, to step up this whole of
government-level engagement across the board and work with
companies and that involves forming coalitions again with like-
minded countries who would support us, who have the same basic
view, and engaging in that level.
Another thing is to provide concrete alternatives. We don't
like some of the things that are going on out there. I think we
all agree on that, but if the U.S. isn't providing concrete
alternatives when some of these countries or collections are
trying to export their laws, for instance, China or even the EU
with GDPR, if we don't have a key or an alternative that is an
attractive alternative to other countries who are looking at
this, they're going to adopt those standards and they're not
going to inure to our benefit.
So having things like there was in the Obama
Administration, the Privacy Bill of Rights, there was some
legislation to try to bring that forward, if we had a concrete
alternative that really balanced all the issues that the
panelists talked about but provided alternatives to others, I
think that helps.
And, you know, I think those are really some of the key
things we could do. There are many others, but those are two of
the important ones.
Senator Schatz. Thank you.
Secretary Chertoff, I think a lot of us struggle with the
desire to look at what happened in 2016 in terms of election
interference, especially on social media platforms, and to want
our national security agencies and the platforms themselves and
even voters to be more engaged so that we're not as vulnerable
in the future.
What we don't talk about as often is that we have to be
pretty planful and careful and precise in terms of what model
we establish for working with the Government to push back
against constitutionally protected speech and that's the
difficulty because those tools that we establish will be an
example not just for our allies and our like-minded friends
around the world but some of our adversaries and authoritarian
regimes.
I'm wondering if, you know, in the minute or so remaining
you can talk about (a) how we strike that balance and I'm not
sure you can answer that in a minute, so where we work on
striking that balance to me is the fundamental question.
Secretary Chertoff. Well, Senator, I think that's exactly
the right question.
Briefly, I would say this. I do think we have to be very
protective of the First Amendment and therefore be extremely
cautious about proposals to regulate content or say certain
content is off limits.
The First Amendment basically gives us freedom of speech,
except in a very narrow category of things. Where I do think
there's more room for actually taking some affirmative action
is in the area of disclosure of identity about who is actually
posting things.
So, for example, I know there's legislation pending about
requiring foreign entities that buy ads or otherwise pay for
space on social media platforms. I think that's consistent with
what we do offline and there's no reason not to do that.
Likewise, I don't think there's any First Amendment
protection for impersonating Americans or for bot nets or for
automated trolling or other ways of manipulating search engines
and those are areas I think we could quite usefully focus on,
working together with the social media companies.
Senator Schatz. Thank you.
Senator Wicker. Thank you, Senator Schatz.
Senator Fischer.
STATEMENT OF HON. DEB FISCHER,
U.S. SENATOR FROM NEBRASKA
Senator Fischer. Thank you, Mr. Chairman.
Dr. Layton, you had mentioned that in Europe there are some
different expectations when it comes to privacy. I would be
interested to know how you would define privacy in the digital
era.
How do we manage the privacy expectations of consumers?
Dr. Layton. Well, I'm going to give you the research the
Agency for Network Security actually developed and said that
the privacy and trust is a function of four things. It's the
level of education of the consumer or the user. It is the level
and types of technology. It's the business practices and the
institutions, and when you look at something like GDPR, it only
focuses on two of the four things.
So what I would say, if we only did one thing, we, as a
nation or individuals, we have to do more to have people be
digitally competent and digitally aware, and it's maybe not
necessarily something that the Congress defines exactly what it
is, but we have a tremendous amount of information and ability
to communicate.
So, for example, I want to recommend Mr. Chertoff's book,
which I just read, and he talked about the first thing, buyer
beware. The Number One thing in cybersecurity, you have to take
responsibility for the platforms, the networks that you use.
Senator Fischer. To define privacy in the era that we are
in now, this digital era, the first thing would be buyer
beware?
Dr. Layton. Taking responsibility.
Senator Fischer. It's up to each of us to figure out?
Dr. Layton. Well, there's a gap right now. There's a gap in
what--you know, we need to close the gap in terms of the idea
of a digital literacy or what are the 10 things I need to know
before I go online to protect myself and so that is the gap
which is missing in the GDPR today. It's what the scientific
research shows that's important and we don't even need to make
legislation to do that. We can actually--each and every person
can take a step up to take responsibility for what we do
online.
Senator Fischer. The expectation is that each individual is
responsible and the Internet is a space where you take your
chances?
Dr. Layton. No, that's not what I'm saying. I'm saying the
part of the four--the four factors that I mentioned, we're
missing two out of the four right now. OK. So we have lots of
regulations. We have lots of rules on businesses. OK. We have
lots of institutions. We're missing education and we're missing
incentives for privacy-enhancing technologies.
So I'm trying to promote as individuals we take more
responsibility for what we do.
Senator Fischer. OK. Mr. Secretary, do you feel that a lack
of any kind of unified data privacy policy could lead the
United States to becoming more isolated?
Secretary Chertoff. I do, Senator. I think that, first of
all, even within the country, you know, California's now passed
a law that deals with the issue of control of data. We could
wind up with multistate laws that are conflicting with each
other or at least inconsistent and certainly would be helpful
at least to smooth it out here.
But beyond that, to come back to the fundamental point, I
recognize that a country like Russia or a country like China is
going to be fundamentally different in their attitude to issues
like controlling data and controlling information, and so
therefore there may be limited scope for agreement there.
But I do think with Western countries, although their
particular approach tends to be different than ours, tends to
be much more regulatory, micromanaging, I think the basic value
system is very compatible and that's where I think an ability
to reach an agreement as to what our overall objective is would
open the door to them working on some of the differences which
have created barriers for our businesses as well as some
confusion about what the rules are.
So to me, this is about ultimately how do we protect
people's rights to make sure their data isn't being used in a
way that's contrary to their interests or that invades an area
that we think they ought to be in control of.
Senator Fischer. You know, many of us on this Committee
also serve on Armed Services Committee and we worry about the
security of the information that agencies have and that
agencies also share. A lot of times civilian agencies don't
have the security, say, as the Department of Defense would
have.
How can we ensure that that information that's out there is
more secure? In your role as Secretary of DHS, you were very
involved in that. What do we as policymakers need to look for?
Secretary Chertoff. I think the challenge here is unity of
effort among a lot of different agencies, many of whom don't
regard security as a core mission, and, unfortunately, Exhibit
A is the Office of Personnel Management, which probably
everybody in this room was a little bit of a victim of that
hack.
I do think the Administration has made the right decision
in designating in terms of government security DHS as playing a
lead role and I think it's important to make sure that the
department has the authorities necessary to make sure that all
the agencies live up to the requirements of basic cyber hygiene
and cybersecurity, including continuous diagnosis and
monitoring, response plans, and other kinds of elements of a
layered defense.
So that set of authorities, making sure that's firmly
lodged in one accountable agency and that it's appropriately
funded, I think would be a big step.
Senator Fischer. Thank you. Thank you, Mr. Chairman.
Senator Wicker. Thank you, Senator Fischer.
Senator Inhofe.
STATEMENT OF HON. JIM INHOFE,
U.S. SENATOR FROM OKLAHOMA
Senator Inhofe. Thank you, Mr. Chairman.
I'm glad that Senator Fischer brought up the situation on
the Defense Authorization Bill because I see a lot of
similarities here. In fact, we will be voting on that. The
conference passed the House last week and we'll probably have
it on Thursday.
I've been watching and this does change with
Administrations. We went through an Administration, eight years
of the Obama Administration that, even in all fairness, really
didn't have the priority on national defense that a lot of us
believe it should have.
As a result, we have some areas--I'm getting at trying to
determine where Russia and China are now relative to us in the
subject at hand in this Committee because I can tell you right
now there are a lot of areas in Defense, one being in the areas
of artillery. Artillery is measured by rapid-fire and range and
actually Russia and China are ahead of us in both areas.
They're ahead of us in our nuclear activities, our TRIAD, and
this hypersonic.
Hypersonic is the big thing that's coming into the Defense
system because it's a system that operates at five times the
speed of sound. So it's very significant.
So I'd like to start off by maybe--I can ask anyone. Mr.
Bladel, I keep hearing, and you folks are experts, but I hear
that, yes, we're still in our areas a little bit ahead of China
and Russia but they're catching up. Is that an accurate
characterization?
Mr. Bladel. Senator, thank you for the question. I think I
probably shouldn't speak to their capabilities as state actors.
I can say from our perspective, as a private sector company, we
see that the largest and most frequent attacks, cyber attacks
on our systems are originating from Russia and from China, and
our cooperation is primarily through private sector and
industry coalitions and coordination, both vertically and
horizontally, throughout the technology industry.
Senator Inhofe. You mentioned also, it wasn't in your
written statement, when you were speaking a moment ago, that
there are now a 120 countries that have data processing laws.
So that means there are a lot of them that don't have those and
we should have, you know, adequate protection, I think everyone
agrees with that, and we're more effective with partners.
Now the question I would ask you is we all agree that
that's right. How do we cement these relationships with the
partners that should be doing the job with us? What's the most
effective thing we can do to go out and attract partners who
would also agree that we're more effective if we do it as a
group?
Mr. Bladel. So, Senator, I think that point was made by one
of the other panelists, but I'll go ahead and build on that,
that the proliferation of different privacy regulations is
creating confusion, it's creating friction, and it is a growing
issue, as another one of the witness's testimony noticed, that
the GDPR is gaining momentum or GDPR-equivalent-type frameworks
are gaining momentum outside of Europe, and I think the answer
is that we continue to show U.S. leadership by helping to push
back on the differences and the inconsistencies between the
various frameworks and focus on those areas of commonality and
try to really around those core principles of what we believe
to be the protection of data but allowing free flow of
information and the conduct of commerce across borders.
Senator Inhofe. That's good. Secretary Chertoff, you had
made the statement that's specifically talking about the role
of the United Nations and that Russia and China want to enhance
that role. I think we all understand and agree with that, but
how effectively could we try to accomplish that?
Secretary Chertoff. I think the U.S. has generally been
consistent in saying we don't believe the U.N. is the right
forum for dealing with these issues, partly because,
particularly with the Security Council, that would essentially
politicize the process of dealing even with the technical
aspects of the Internet, which is why, of course, the Russians
and the Chinese want to do that.
I think we need to continue to look to again this multi-
stakeholder model where we go to FORA, where we can engage the
private sector, the business community, and consumers in coming
up with proposals for how to reconcile the various interests
that are a part of the Internet.
Just to follow up a little bit on the prior question, a lot
of--they used to say a lot of life is just showing up. A lot of
dealing with these issues is showing up, by being present, by
dealing with your counterparts in other countries.
My experience is you will often find there's a greater
degree of fundamental agreement than might be evident at first
but in order to be able to have the impact you've got to play.
Senator Inhofe. All right. Very good. Thank you very much.
Thank you, Mr. Chairman.
Senator Wicker. Thank you, Senator Inhofe.
Senator Capito.
STATEMENT OF HON. SHELLEY MOORE CAPITO,
U.S. SENATOR FROM WEST VIRGINIA
Senator Capito. Thank you, Mr. Chairman. Thank all of you
for being here today.
I would like to say just at the onset that the Department
of Homeland Security is in New York today announcing, I think,
a really great move on their part, which is a new Cyber Hub to
protect our critical U.S. infrastructure, sort of goes a little
bit into what we're saying or a lot of into what we're saying
today, but to be that flexus point or nexus point of the
Nation's banks, energy companies, and other industries to help
protect them from major cyber attacks. I want to say thank you
to the Secretary and I know that she probably asked for your
advice as she's moving forward. I think it's a very good thing.
All of you have talked about the GDPR and regulations that
have come from the EU. Some of you have addressed it in a
problematic way. I think, Mr. Bladel, you talked about how it's
causing you to divert assets into figuring out how to do this.
I think, Dr. Layton, you said, interestingly, that a
popular misconception is that it protects privacy. You said it
does not. It is about data protection or, more accurately, data
governance and your last statement in your written statement
says, ``Data protection is a technical issue whereas data
privacy is a legal issue.''
Do you think, as we look at governance, we need to look at
both of these issues together? If you could talk about that a
little bit.
Dr. Layton. Surely. I think the key difference is privacy,
we might see in the United States as a natural right and
something inviolable, something we're born with, versus in the
European conception, it's a government-granted right.
So the key difference there is, you know, what government
gives government can take away. A key difference from the U.S.
perspective is that our natural rights are things that are
inherent. We don't ask anything of anyone else to have those
rights versus a European approach is it's making requests and
requirements of others in order to do those things. So our
understanding of privacy is fundamentally different.
The other aspect is amongst these 173 provisions, it's
really a hodgepodge of essentially a laundry list of a set of
stakeholders that want to have certain regulations to be able
to go after American companies, to achieve outcomes that they
could not achieve in the courts or through antitrust, and the
GDPR itself actually reverse engineers a number to create a
class action lawsuit culture, so that people can have standing
in court to be able to bring lawsuits they couldn't before.
To date, the Europeans didn't want to have the sort of U.S.
style class action lawsuit culture, for better or worse, and
that has changed now so that we have now the abuse of
complaints. You could get a million complaints in a day that is
just automatically generated.
So there are 62 data protection authorities in the EU and
they don't have training on how to do this. The enforcement
will be very disjointed. It's primarily focused on U.S.----
Senator Capito. I guess if we're looking at this in terms
of the future, we need to look at lessons learned here as
they've been trying to implement theirs.
Mr. Painter, in your statement, along those same lines, you
say that the GDPR enshrines the right to be forgotten, that
mandates that EU individuals can force service providers to
remove certain information about themselves.
When I asked Mark Zuckerberg when he was in front of our
Committee, I asked him do individuals have the right to delete
their individual information, in other words, remove themselves
from Facebook, personally I believe they should have that
right, he assured me that they do have that right and that it
does happen, but I'm still not convinced it's not out there
somewhere and that it cannot be retrievable in some form or
fashion.
Do you have a statement on that?
Mr. Painter. Yes, so I think there are positive aspects of
deleting your data, and I do agree you should be able to delete
your data and control your data and have access to your data
and have transparency into your data. That's some of the data
privacy things we should be looking at.
What this does, though, I think, is create attention with
the First Amendment and human rights because what it says is
you can delete your data anywhere. You can do it perhaps as a
public figure, other newsworthy stories that people have a
right to consume, impacts First Amendment rights.
So the trick is making sure you're doing this in the right
way and the approach taken by the EU, I think, is too broad. I
totally agree with you, though, for providers, like Facebook
and other providers like that, it's your data and you should
have a chance to edit it, to remove it, et cetera, and have
access to it.
Senator Capito. Well, it seems to be just in the general
sense if we're going to figure out how to move forward
internationally on privacy, there are so many conflicts and
then we haven't even, in my questioning, you know, gotten into
what Russia and China think your right to privacy is, which
obviously vastly different.
So thank you all very much.
Senator Wicker. Before I recognize Senator Peters, was the
GDPR a statute enacted by the European Parliament or was it
written by a regulatory agency? I know it just went into effect
in May. Who can answer that? Dr. Layton?
Dr. Layton. Sure. So if you will ask Jan Philipp Albrecht,
who's the member of Parliament who--he's called the ``Father of
GDPR,'' he said that essentially formalized existing laws in
the European Union.
Senator Wicker. Of course, that's not----
Dr. Layton. That would be parliamentary laws and then there
would be an EU----
Senator Wicker. Who issued it?
Dr. Layton. The Parliament. So that's their Congress, if
you will, the EU Congress.
Mr. Painter. But, I mean, it's important, as I understand
the EU regulation-making or law-making, it's the Parliament,
it's the Council, which is all the member states, and it's the
Commission, which is essentially the bureaucracy, and they come
together and, in fact, they're looking at something around
certification for cybersecurity products right now, which the
U.S. has been engaging in.
So this is perhaps a cumbersome process but there are
chances for the U.S. to intervene, to have input, and we need
to make sure that's happening.
Senator Wicker. Would it take an act of the Parliament to
amend or change the GDPR?
Senator Peters, thank you for allowing me to interject.
STATEMENT OF HON. GARY PETERS,
U.S. SENATOR FROM MICHIGAN
Senator Peters. Thank you, Mr. Chairman. Thank you for
holding the meeting, and Ranking Member, thank you, and to our
panelists, appreciate the discussion.
You know, as we talk about the GDPR going into effect, we
have to remember that the United States, if we're going to show
some leadership, we probably should have some comprehensive
policy regime ourselves, which we are still lacking in this
country. It's hard to show leadership to the rest of the world
if we can't even get our act together here in this country.
And as all of you know, our largest tech companies are
under some pretty intense global scrutiny right now for their
mistreatment of data and while other countries are beginning to
levy fines against these companies, we are just now beginning
to ask the questions of whether or not they're too big and
perhaps in need of being reeled in somewhat.
So amidst some of these antitrust discussions, Mark
Zuckerberg and other tech giants are now recognizing that
perhaps some privacy regulation may be necessary. However,
there still seems to be a lack of will to participate in
productive discussions about what these regulations should
basically look like.
So my question to the panel is, as we talk about GDPR as it
relates to global e-commerce and the impact that it's going to
have on U.S. companies, from your perspective, were companies
that were affected by regulation, were they at the table? Were
they part of the discussion as it went forward or was their
lack of participation resulting in why we are in the position
that we're in today and the concerns that you've raised? We can
start down here with Mr. Chertoff.
Secretary Chertoff. Well, you know, I was not involved in
these discussions, but my understanding and impression is a lot
of these companies do have a significant presence in Brussels
and did attempt to lobby and interact, but I think the effect
of that is diminished if the U.S. Government's not fully
engaged for obvious reasons.
Senator Peters. Mr. Bladel.
Mr. Bladel. Yes, Senator. Our company was not engaged in
the development of GDPR. However, we were engaged as part of
the Multi-Stakeholder Governance Forum, particularly in ICANN,
in understanding what to do with GDPR and particularly how it
impacted our industry.
Senator Peters. Did you see it coming?
Mr. Bladel. We probably had less notice than we would have
liked, Mr. Chairman, probably about a year to 18 months in
advance was all we received.
Senator Peters. Dr. Layton.
Dr. Layton. Well, first of all, I would say I have been
very pleased by the response of Congress to look at these
issues. I've found it has been bipartisan. I think that there
has been a good faith effort on both sides of the aisle to
address the issue and I'm very encouraged by that.
What I would say about our American approach, the merit of
it is that we have focused traditionally on sensitive
information. We know there are things that are inherently
sensitive, health, financial, information about children. So
the advantage of that, well, certainly for the taxpayers'
perspective, we focused our resources where we know there was a
threat.
So under GDPR world, me as an academic, I have the same
liability as a major company. So there are concerns about small
entities being unduly burdened and so I think that there is
real value to the American approach we have taken.
Ms. Zheng. So Business Roundtable represents some of the
largest American companies, not just in the technology sector
but across all sectors of the economy, and I would say that our
member companies were definitely engaged in GDPR. They do have
a presence on the ground in Europe.
However, you know, the European Union is going to take
their opinions with a grain of salt, right, because it's
ultimately, you know, these are American companies,
headquartered in the United States, American jobs. It's about
the growth of American companies. They're willing to hear, you
know, our concerns but I don't know how interested they are in
addressing them.
That said, I think that companies, you know, are very much
willing to come to the table now and have an honest discussion
about a national standard for data privacy in the United States
and how to engage with the European Union and countries in
Asia, as well, to promote an interoperable framework. So we
look forward to working with members on that.
Mr. Painter. And I would emphasize that word
``interoperability.'' We're not going to change the GDPR now
that it's in effect likely.
However, I think it's important that we have regimes that
are interoperable and we also put forward our own views on
this. I think there was a lot of engagement by U.S. companies
and U.S. trade associations, frankly the Government, too, with
the EU to try to push back or guide this, just like we do in a
lot of other areas.
I think that can always be stepped up. I'll use the recent
example--and it also reflects, I think, a view in Europe or for
many in Europe that the U.S. doesn't care about privacy, which
is just wrong. I mean, the FTC does probably more actual
enforcement of privacy than most of the European entities.
However, we need to fill that void. We need to show
leadership in this area so there are alternatives and this
doesn't become a global standard, and I'll use the example of
the certification regime I talked about a little earlier. I was
just in Europe talking to parliamentarians and others about
that, a lot of industries over there, talking to them, and
there has been changes in that draft law that incorporates a
lot of the things that U.S. industry and U.S. stakeholders and
global stakeholders wanted, making sure these are industry-
driven, making sure they're voluntary, making sure this
reflects a risk-based approach.
That's important. That level of engagement needs to be
continued.
Senator Peters. Great. Thank you for all your thoughts.
Appreciate it.
Senator Wicker. Thank you, Senator Peters.
Senator Gardner.
STATEMENT OF HON. CORY GARDNER,
U.S. SENATOR FROM COLORADO
Senator Gardner. Thank you, Mr. Chairman. Thank you to the
witnesses for your time and testimony today.
I had the opportunity a month ago or so to visit some
nations in Southeast Asia. I visited Vietnam, I think it was
the same week that they were considering legislation requiring
data localization and what that would mean for Vietnam. I was
trying to understand it and explain it.
Ms. Zheng, when you talk to businesses and when they
interact with you, do they talk about the need to share with
foreign governments democratic values, ideals, things that we
believe in in America?
Ms. Zheng. Yes, absolutely, and I would add that there are
various forums where we could be pushing that agenda more
aggressively. So, for example, in our negotiations on NAFTA,
digital trade should be a part of that negotiation. A lot of
their, you know, sort of underlying open market, open data
flows priority should be included as part of that.
There are also other forums that we should be more actively
engaged in, such as the APEC CVPR Forum on Privacy. OECD is
also, I think, taking another look at their privacy principles
next year.
We need to make sure that not only, you know, companies but
also the American Government, that we're fully engaged in those
forums.
Senator Gardner. Dr. Layton, what does a country or
government like Vietnam, intend to do with data localization
policies?
Dr. Layton. I'm not sure what Vietnam has in mind but
certainly a concern to me. I'm going to punt that question to
another person on the panel.
Senator Gardner. Mr. Painter, Secretary Chertoff, what does
a China do or Vietnam do with them?
Mr. Painter. So, you know, especially with China but
Vietnam has some of these tendencies, too, there are various
reasons countries have done this.
One is to limit market access, which is a concern. One is
for a realistic concern, which is it's very hard to get data
for law enforcement purposes. That's addressed by the CLOUD
Act. I think we need to do more of these bilateral agreements.
But the third is to monitor and control their citizens
better and Russia is a good example of this. China is a good
example. If you have all the data there, it's much easier to
see what your citizens are doing, to monitor them, to have
mandatory data turnover legislation to make sure that the
intelligence and other services have access to it. That's often
what the goal is and that's harder and that's why we also have
to push back on this human rights agenda along with the
economic agenda.
Senator Gardner. I think that's exactly right. Secretary
Chertoff, what role then should the U.S. businesses play
because a lot of these telecom companies will be involved--
excuse me--technology companies will be involved in the buildup
of a localization or data center? So how does--what
responsibilities does U.S. business have then at that point?
How do you balance the need for economic opportunity and growth
and market access with the fact that a government that may be
using it to target individuals within its own country?
Secretary Chertoff. You know, I think that's a challenging
ethical problem for companies. It's a little bit like the issue
about whether you furnish intrusive surveillance technologies
to countries that are going to use it to oppress their own
citizens.
Now, on the one hand, I think some companies take the view
that if you're--as long as we're talking about China's desire
to have data about Chinese citizens held in China, that that's
really a matter for the Chinese and they're agnostic. Others
view that as enabling something that they see as inconsistent
with the culture of openness and they withdraw.
So I do think that we need to think very carefully about
the extent to which we enable the kind of behavior on the
Internet that's really fundamentally inconsistent with our
values.
Senator Gardner. You mentioned in your testimony a Cyber
NATO. Could you talk a little bit more about that?
Secretary Chertoff. Yes. I think, you know, we have a
regular NATO, which I do think has a cyber dimension, but I
think it's Toomas Hendrik, the former President of Estonia, who
has talked about really having a community of like-minded
nations that would defend our cyber assets against attacks and
not necessarily rising to the level of war that would get into
Article V but even something less than that, something that
attempts to manipulate the political process or engages in
systematic espionage or things of that sort.
Senator Gardner. So, Mr. Painter, when SISA passed the
Congress, I included legislation that required a U.S. cyber
diplomacy strategy. You were there. We had a lot of
conversations about it at the time.
So given this need for a Cyber NATO or at least this idea
of a Cyber NATO kind of approach, given the idea of a need to
have more agreements with like-minded nations as it relates to
cyber behavior data issues, et cetera, are we on the right
strategy? Do we need a new strategy? Where are we?
Mr. Painter. So I very much worry that it's not being
prioritized, that we're not showing the kind of leadership from
the top that we need to do, and, you know, there was a lot of
work we did really starting this issue from the ground up
because it wasn't really a diplomatic issue before and just a
number of years ago it was established as one.
We were the first office in the State Department that did
this. Now 26 other countries, including China and Russia, have
those offices. But I think it's important to always look and
revise the strategy we have and make it stronger and that
strategy not only helps direct the efforts of the particular
agency but really across the Government and other stakeholders
so they know where we are and other countries and so there have
been a number of things that were ordered as part of an
Executive Order early in the Administration on cybersecurity
issues.
We still haven't seen the strategy come out of that. We
haven't seen a comprehensive strategy of how you pull all these
agencies and others together. Obviously, you know, the 2011
International Strategy was a good document but that was 2011.
Things, you know, have continued to advance. So we need to make
sure we're fine-tuning and prioritizing.
I'd say one other thing we did in the State Department is
we had every regional bureau did engagement strategies around
all these issues and we had two versions of them to really
fine-tune those efforts. That needs to be done, too.
Senator Gardner. Do we need an ambassador, cyber Ambassador
at State Department?
Mr. Painter. I think we do. I mean, I'm very supportive of
the Cyber Diplomacy Act. I testified in the House about it. I
think it's a really good approach. I hope it passes this
Chamber, as well. I think it really will help elevate our game
and I think that'll be important and it's not just the
Ambassador position. It's really the structure that gives this
heft and priority.
Senator Gardner. Thank you. Thank you, Mr. Chairman.
Senator Wicker. Are the panelists all in agreement on the
concept of a Cyber NATO? Does anyone wish to take issue with
that?
[No response.]
Senator Wicker. No one steps up.
Mr. Painter. I think it depends on how it's formed. I mean,
I know Toomas Hendrik is a friend of mine, as well, and it just
depends on the details and how this gets put but certainly the
idea of having like-minded countries come together in the
common defense against shared threats, that's an important
concept.
Mr. Bladel. And based on that description, it's something
that would be interesting but we haven't formed any sort of a
position on that yet. We're just hearing about it.
Senator Gardner. Mr. Chairman, it surprises me we don't
have such a thing. I mean, why don't we have it? What's the
closest thing we have to such an agreement?
Secretary Chertoff. NATO does actually work together. They
have Center of Excellence and they do----
Senator Gardner. Right.
Secretary Chertoff.--address this issue. Now the issue
becomes, I think, in part at what stage you reach the level of
actually invoking Article V and whether that needs to be
somehow adjusted in the context of cyber activity.
I will say that in 2007, when I was Secretary, we did work
with Estonia when they were attacked by the Russians with a big
denial of service attack. So I don't think this is a big
stretch. It may just be more a question of kind of formalizing
what has been operating for awhile.
Mr. Painter. And it could be also upping NATO's game more
on this. I mean, I think NATO has done a lot of things. Cyber
is one of the key concepts of NATO and that was back now about
seven or 8 years ago and in the last few communiques from NATO,
cyber has played a key role. There's a lot of focus on both
defending NATO countries' assets but also what they can do in
terms of responding to threats and then part of this is going
to be beyond NATO.
If we're going to impose costs on adversaries, like Russia,
that's going to be us working with other allies. It's not
necessarily going to be all of NATO but there's going to be a
subset of us and we need to be able to do that.
Senator Wicker. Important testimony. Thank you, Senator
Gardner.
We now have Senator Hassan.
STATEMENT OF HON. MAGGIE HASSAN,
U.S. SENATOR FROM NEW HAMPSHIRE
Senator Hassan. Well, thank you, Mr. Chair, and thank you,
Ranking Member, for this hearing, and thank you to all of the
panelists for being here today.
I want to just start with a question to you, Secretary
Chertoff. On the topic of cybersecurity, I want to address
Russia's ongoing attacks on our election system and our
electrical grid.
Last week, the Wall Street Journal published a story that
stated that Russia's military and intelligence had consistently
sought to hack U.S. utilities and critical infrastructure. In a
few instances, Russia's state-sponsored hackers even gained
access to the utility control systems.
As one DHS official stated, this is a quote, ``The Russian
hackers got to the point where they could have thrown
switches.'' The Russian penetration of one of our nation's most
important utilities certainly conjures up fears of a Russia
cyber attack that would leave American communities without
electricity for days, weeks, or even months.
While serving as Secretary, Mr. Chertoff, you helped stand
up to the National Protection and Preparedness Directorate,
NPPD, at the Department of Homeland Security, which is charged
with defending against cyber attacks and strengthening the
security around our Nation's critical infrastructure.
Given your history with this mission, could you please
discuss how DHS can better defend against these Russian attacks
on our utilities and what sort of tools and relationships are
needed to stop these attacks?
I know there was a discussion about this new hub that
they're thinking about and it sounds to me like a good first
step, but what should we be doing?
Secretary Chertoff. So I agree, I think this hub is a good
first step. You know, when I was in office, we actually talked
about co-locating the principal actors in the private sector
critical infrastructure together with our government officials
so we could really work in real time in identifying threats.
We're not there yet but I think this is a good step
forward. I would continue to press that as well as giving
clarity to some of the elements of critical infrastructure
about exactly what they need to do.
One of my recommendations has been to take the Safety Act,
which applies in giving liability protection for certain
counterterrorism technologies and extend that to cybersecurity,
so you'd create economic incentive for companies to invest in
processes and technologies that would lower their risk of
cyber. So I think that's one area we ought to be focused on.
The second, candidly, is we need to have a clear doctrine
about how we respond to various kinds of intrusions by enemy or
adversary nations into our critical infrastructure.
You know, we know what we did in 1963 during the Cuban
Missile Crisis when missiles were positioned in Cuba. What
happens when malware's positioned in critical infrastructure?
Do we treat that as espionage and reconnaissance? Do we treat
it as positioning a potential weapon?
I think we need to have clarity and a discussion about what
our strategic response is to these varying levels of threat. I
know in the NDAA there's a provision for a Project Solarium in
cyber which would be the equivalent of what we did after the
invention of the Atomic Bomb to develop a doctrine, and I think
having a doctrine and having a strategy and a set of rules of
engagement would go a long way in creating some element of
deterrence to what right now, I think, is a very ambiguous and
challenging environment.
Mr. Painter. If I could say one thing on that?
Senator Hassan. Sure.
Mr. Painter. I think there's a critically important part
that's missing. We don't even have a declaratory statement that
things like Russian interference in our election, the big
NotPetya Worm that caused economic damage with its
prepositioning is something we're going to take action on and
impose costs on. We need to do that. We need to do that now.
Senator Hassan. Well, that's very helpful, and on the issue
of the private-public not only interaction and partnership
being important, it's something that I agree with you on and
that's why today, Senator Portman and I are introducing a bill
that would establish the DHS Cyber Incident Response Team Act
and it would authorize in law DHS's Cyber Hunt and Incident
Response Team and allow select private sector cyber experts to
participate in these teams. So we're trying to move this
forward.
I appreciate that insight very much. I also take to heart
the point about having a doctrine and really treating cyber
attacks as the threats that they are and the attack on our
country that they are.
Mr. Chairman, I'm just about out of time. So I will yield
it back. Thank you very much, and thank you all to the
panelists again.
Senator Wicker. We didn't have a doctrine in 1963 until it
happened, did we, Secretary Chertoff?
Secretary Chertoff. In 1963, what we relied upon was the
view that essentially positioning missiles very close to the
United States was sufficiently a war-like act that we could
engage in a blockade. I think we called it a quarantine to kind
of fuzz it up a little bit, but I think it relied upon
principles in the physical world that were relatively well
accepted.
It gets much more complicated in cyber because, first of
all, people loosely use the word ``attack.'' Sometimes it just
means espionage, which we've never regarded as an act of war.
Sometimes it means literally something that could result in
loss of life, which is unquestionably an act of war, and then
you have this middle position.
So this is, I think, a much more ambiguous set of
circumstances than the physical world.
Senator Wicker. Thank you very much.
Senator Udall, you've been very patient. Senators have come
and gone and you've stayed here.
STATEMENT OF HON. TOM UDALL,
U.S. SENATOR FROM NEW MEXICO
Senator Udall. Thank you, Chairman Wicker.
Senator Wicker. You're recognized for five and a half
minutes.
Senator Udall. Thank you. Thank you, Senator Schatz.
Appreciate the panel being here today.
As a member of the Foreign Relations Committee, I'm
particularly concerned about how powerful tech-savvy countries,
like Russia and China, limit access to the Internet in their
own nations by banning and controlling any dissent online while
simultaneously using the same banned platforms, like Facebook,
to sponsor and promote disinformation in the West and in the
U.S.
We are now all too aware of Russia's pervasive misuse of
social media in our 2016 election and the Brexit vote in the
U.K. The U.S. has a critical role, I think, as all of you have
been talking about here, to play in ensuring that we are
deterring this kind of state-sponsored disinformation campaign
while promoting an open and global Internet.
Russia's, and I guess this first question but others can
comment, as Mr. Chertoff and Mr. Painter, Russian militia cyber
activity remains a national security threat, no doubt about
that. They attacked our 2016 election and sponsored the
destructive NotPetya malware.
What are the most important actions our Government should
be taking to deter Russia from this type of malicious activity?
Just focus on, say, one or two or three like that, I think
would be good.
Secretary Chertoff. Well, I think when you deal with
ransomware, particularly ransomware that can potentially affect
industrial control systems and have an impact on human life, I
think that deserves the kind of response that we would do with
respect to a physical attack that might have a threat to human
life, which means we have to have the ability to respond either
in kind or in another way to deter that.
When it comes to information operations, which, to be
honest, go back a hundred years to the Comintern, when the
Soviet Union existed, I don't regard that as an act of war. I
do think it's a matter where there are things we can do in
terms of calling out who's really responsible for putting posts
up or things like the Internet Research Agency in St.
Petersburg where they use armies of trolls to drive stories,
but I think legally as well as in terms of our, in general, set
of values, we don't want to actually censor content, even if we
know it to be untrue and false because the cure for falsity
tends to be truth and once you go down the road of censorship,
it doesn't really stop.
Mr. Painter. And I would add to that, I think that, you
know, we've seen a lot of malicious activity from Russia and
the DNI has said that Russia is one of the foremost damaging
cyber actors or capable cyber actors, China, Russia, North
Korea, and Iran, but Russia really at the top, and Russia has
hit us in a variety of ways, including NotPetya, including the
election interference, including this prepositioning, and yet
we haven't really done anything to affect Russian's calculus in
any event.
And so we obviously don't want to be overly escalatory.
We're not going to shut off the lights in Moscow, for instance,
but we should do something that will actually affect Putin in
his decisionmaking in the future and there has been this effort
now to call out things. There has been a NotPetya. A number of
countries got together and I think that's good to build those
alliances and have countries to come together and say that
Russia was responsible. Great. But you're not going to name and
shame Russia. You actually have to do something that's going to
have an effect and that goes to the doctrine question.
And then, also, I would think in the U.S., there are other
things we could be doing, like having a task force, a high-
level task force to deal with election interference. As a cyber
guy, I don't think we really saw this coming. We saw threats to
infrastructure. We saw espionage, but this hybrid attack is
something that requires a real concerted approach.
The declaratory policy I talked about is important, too,
and, look, we can do the sanctions. We can do all the tools we
have, diplomatic sanctions, law enforcement, and others, but if
we don't have high-level messaging and consistent messaging
from the top, that undercuts all those efforts.
So if you send a message that this is unacceptable and then
send a message, well, maybe it's OK, that just undercuts
everything we're doing.
Senator Udall. Mr. Chertoff or any of the other panelists
want to weigh in on that?
Dr. Layton. So I wanted to say thank you for bringing up
this concern and I certainly agree with the panelists.
What I just want to emphasize, I think when you--we can
think about the threats to our security, not just from--maybe
from military, but there are economic threats, and if I have
any bit of advice for Congress, I think we haven't paid
attention to the rise of Chinese platforms.
Two years ago, the Chinese app market exceeded the United
States in revenue and downloads and I know a lot of people who
already use the Chinese versions of Amazon and Google and so
on, and they don't want to open their markets to the United
States. They want an indigenous technology strategy, but they
want to come and take our markets.
So I would like to put up that the threat of China from an
economic perspective for our digital economy is just as great
as the cybersecurity threat from Russia.
Senator Udall. Do I still have my 30 seconds?
Secretary Chertoff. Could I just add one other thing I
think we need to focus on? The Chinese have indicated that in
the next few years, they want to become global leaders in
artificial intelligence. The way you build artificial
intelligence or machine learning is with data and it's not a
surprise that we've seen some incredibly large data thefts in
the last few years, like the OPM theft, Yahoo, one of the other
credit companies, but I think we need to be mindful that these
kinds of data thefts, while they may not seem that critical,
actually can be feeding a very significant growth in artificial
intelligence capability which may be what we're talking about
in a committee like this in 5 years.
Senator Udall. You mentioned, Mr. Chertoff, on the
misinformation and the answer is truth. We should be mindful
because the frustrating thing is there's an old saying in the
West. The lie gets halfway around the world before the truth
puts on its boots. So we need to realize by being open like
that, we're also taking a hit at the front end but we have
faith that it will prevail in the end, that the truth will
prevail.
Thank you very much. Thanks to the panel.
Senator Wicker. Senator Markey, are you ready?
Senator Markey. Ready to go.
Senator Wicker. Jump in front of Senator Cantwell.
STATEMENT OF HON. EDWARD MARKEY,
U.S. SENATOR FROM MASSACHUSETTS
Senator Markey. It's a privilege to be at such an important
hearing today and, Mr. Painter, in your written testimony, you
state that, ``The future viability of the Internet as a
platform for commerce and social good depends on that
platform's security and the long-term stability of
cyberspace.''
I share your belief in the importance of cybersecurity and
I'm particularly concerned about cyber threats of the IoT, the
Internet of Things or the Internet of Threats, which it is
simultaneously, where our devices, our appliances, our machines
all connect with one another.
Mr. Painter, the EU is currently considering a
cybersecurity act, which would create a single cyber-security
certification standard for information and communication
technology devices.
I have introduced similar legislation in Congress, the
Cyber Shield Act. My bill would establish an advisory committee
of cybersecurity experts from academia, industry, consumer
advocacy communities, and the public to create cybersecurity
benchmarks for IoT devices, such as baby monitors, cameras,
cell phones, laptops, and tablets.
IoT manufacturers can then voluntarily certify that their
products meet those industry-leading cybersecurity and data
security benchmarks and display the certification to the
public.
Mr. Painter, are you supportive of establishing voluntary
standards like this in order to inform consumers and catalyze
industry investment in cybersecurity?
Mr. Painter. Senator, I think the U.S. has a history of
advancing these things, NIST, for instance, with a critical
infrastructure, the NIST Framework.
I think in this area, this is a lot like a UL----
Senator Markey. UL?
Mr. Painter. Underwriters Laboratory on electric devices,
and I think it has a lot of merit. I think it makes a lot of
sense, particularly if you look at a couple things.
One, voluntariness, two, built with the industry that it's
meant to apply to, so the industry and it's not a one-size-
fits-all and I don't read your bill to be that. I read your
bill to be built with industry, with this advisory committee.
I think also it needs to be risk-based, so you're not
necessarily prescribing a particular technology but you're
looking at what the risks are. I think all those are good
things.
I think there are a lot of comments that the U.S.
stakeholders have had in the EU Cybersecurity Act that they've
taken. The one thing I'd also be cautious of is to make sure
that it's not creating a conflicting regime with what's being
done in the EU but at the same time, I think would show U.S.
leadership because a lot of countries are thinking about this.
I know Singapore and a number of other countries are
creating consortiums and other people to look at IoT regulation
and artificial intelligence regulation.
I know DHS and Commerce put out some principles on this
about a year and a half ago, but I think this kind of voluntary
regime built with industry has a lot of merit.
Senator Markey. Do any of the rest of you agree that a
voluntary regime could work in the United States using that
kind of framework? Yes, Mr. Secretary.
Secretary Chertoff. I agree with that and something I
suggested a little bit earlier might also be relevant here,
which is to take the Safety Act concept, which we use with
respect to counterterrorism technologies, and apply that over
here, as well, because it creates an economic incentive to get
the certification since the Safety Act caps liability and
damages. So I think that kind of approach would be very
worthwhile.
Senator Markey. Thank you. Ms. Zheng.
Ms. Zheng. I was just going to add, I think I want to
reiterate on Chris Painter's point, which is interoperability
is a key issue here.
One concern is that if there is a voluntary regime here in
the United States for IoT that dictates how IoT products are
designed or developed or maintained, that other countries would
also feel that that gives them license to develop their own
national approach and there again you have tremendous
fragmentation.
So, you know, I'm happy to hear that the approach that
you're thinking is inclusive of industry and developing it, but
I think that fragmentation concern is real.
Senator Markey. Mr. Painter, if I may, Secretary Tillerson
chose to downgrade the cyber coordinator position, your former
position, last year, even as we know there's an intensification
of cyber attacks on our country. We know that there is
malicious cyber activity coming from North Korea, from Russia,
from China, from other places.
What's your recommendation as to what our Government should
be doing in order to elevate rather than downgrade this role?
Mr. Painter. So I think the threats are only increasing.
The policy threats are increasing. The technical threats are
increasing. The actors that are attacking us, whether they be
transnational or organized criminal groups or nation states,
are increasing.
We have to make this a national priority. We can't afford
to demote this issue or make it a boutique issue that's only
dealt with it by the cyber people. This has to be an engrained
national priority from this Administration, from every
Administration, and I think downgrading these roles and
downgrading the roles at the White House sends the wrong
message to both our friends and our adversaries. We need to
lead in this area.
Senator Markey. Yes. I hear you. I think the Trump
Administration made a big mistake. We will in fact put the laws
on the books that we need. I'm afraid it's just going to come
after we have a catastrophic event in our country and then
everyone will say who knew this could happen. We know this can
happen. That's what you're testifying today. We should put the
preventive laws on the books.
Thank you, Mr. Chairman.
Senator Wicker. Thank you very much, Senator Markey.
Senator Cantwell.
STATEMENT OF HON. MARIA CANTWELL,
U.S. SENATOR FROM WASHINGTON
Senator Cantwell. Thank you, Mr. Chairman, and thanks for
having such an important hearing, and I really appreciated the
testimony of the witnesses. You've all said very illuminating
things as it relates to our challenge as a nation, both on the
commercial side of working together on tightening up where we
are and certainly, Mr. Chertoff, talking about the attacks to
the grid and the large-scale efforts on things like Ukraine can
be very devastating to the United States, and, Mr. Painter,
thank you for articulating that we need to be doing much, much
more than we're currently doing.
That's why last week, my colleague and I, Senator Graham,
sent a letter to the President saying please step up, both on
the assessment side and the resource side because this is a
pretty big issue.
But one thing I wanted to ask about, writ large, given all
of your testimony, because I agree, I don't think provocation
comes anymore with a foreign sticking its, you know, nose in
U.S. waters or a plane flying over. I think provocation comes
from, you know, this kind of hacking of a power plant or a
pipeline or something of that nature that we are seeing in
other parts of the world.
So I think this debate has gotten a little off course as it
relates to what we do and what other people do and I just want
to be clear since you're all articulating an international
focus.
Should it be clear and should the United States lead such
an effort that any attack on an election system, that is the
actual system itself, to interfere with an election, should be
something that we should unite the entire world, that that is a
cyber crime, and should be prosecuted?
Mr. Painter. Well, we saw two aspects of this. One, the
attempted attack on the election infrastructure itself and also
the influence operations, so we meet those in two different
ways.
But, absolutely, if you look at critical infrastructure,
yes, we're working about prepositioning on power grids and
other things, but if there's an attack that really undermines
the democratic foundation of our system, that's a huge deal and
we need to take that seriously.
In this Commission that both Secretary Chertoff and I are
on, this Commission for the Civil Society, we just recently
released a proposed norm for governments and others to take up,
which is exactly that, you should not attack the systems, the
devices, the mechanisms that are used for elections, for
democratic and other elections, and I think that's a key thing.
So, absolutely, and I think that's one of the things we
should continue to have discussions with other countries on. We
know that the Dutch, we know the Germans, the French, and
others have also and the Estonians and almost all the Baltic
countries have seen this. So it is absolutely a big deal.
Senator Cantwell. Is everybody else in agreement with that?
Dr. Layton. What I would just like to add, I really welcome
that Congress is taking the concern, taking this up, but what I
think it's important to say that there has been desire by other
countries to influence our elections for decades.
So, you know, this isn't the first time it's happened. I
think it's great that Congress responds now but this has been
going on for a long time and just to pick up the point, I
applaud that Congress is going to pick up legislation to look
at particular areas we need for cybersecurity.
Senator Cantwell. No. I'm asking you whether you believe in
an international--that we should be leading the charge
internationally to say that anybody who tries to influence with
the election process in a cyber way is a cyber crime and that
we should unite the world against that? That's what I'm asking.
Dr. Layton. OK. No, what I would like to express to you is
I think that the cyber concern has been maybe for 25 years now
and we have been slow to fully integrate it into the military.
So I don't think we need to make the silo. I think it
should be fully part of the military from the ground up. So I
don't need to have to call it that and so there has been some
resistance because of maybe the way the established Defense
Departments are. They have their turfs that they have been
reluctant to bring cyber in and integrate it as they should.
Senator Cantwell. Trust me, that's why I'm working with
Senator Graham, because the two of us are going to keep
focusing on this.
Mr. Chertoff.
Secretary Chertoff. I have to say I completely agree that
we ought to work with all of our like-minded colleagues
overseas to see that interfering with the actual infrastructure
of elections is completely off limits and unacceptable.
The information operations gets challenging because while
we should resist them, we need to be careful how we articulate
it because if you go to Moscow, they'll say, great, let's get
rid of, you know, the National Endowment of Democracies and,
you know,----
Senator Cantwell. I agree. That's why I'm bringing this up,
Mr. Chertoff, because I do not want to lose action on the first
part.
Secretary Chertoff. Correct.
Senator Cantwell. And we should be leading the charge. No
government should be involved in interfering with the actual
election operations. End of story. We should be leading the
charge, but there are some people running around this town
basically saying, oh, well, there's this other stuff and we all
do it and we should let this go. We should not let this go, so.
Secretary Chertoff. I agree with you. They're totally
different. We should not blur the lines in a way that blunts
our ability to respond.
Senator Cantwell. Thank you, Mr. Chertoff. Thank you.
Senator Wicker. Thank you, Senator Cantwell.
Senator Cruz.
STATEMENT OF HON. TED CRUZ,
U.S. SENATOR FROM TEXAS
Senator Cruz. Thank you, Mr. Chairman. Good morning.
Welcome to each of the witnesses. Thank you for being here.
Dr. Layton, this past January, as you know, a memo leaked
from the National Security Council which called for
nationalizing the 5G Mobile Broadband Networks and since then,
the Administration has been less than clear in rejecting that
idea.
I and many members of the Senate consider that to be a
profoundly bad idea. That's why Senator Cortez Masto and I
together introduced the E-Frontier legislation last week, which
would prohibit the Federal Government from nationalizing our
Nation's commercial telecommunications network without
authorization from Congress.
Dr. Layton, in your judgment, what would it mean if the
Federal Government were to nationalize our Nation's 5G
networks?
Dr. Layton. There would be a disaster. I saw the press
release today, and thank you and Senator Cortez Masto for your
leadership. It certainly helps me sleep well at night.
But I would say if there's one point that we know in
telecommunications policy that we have evidenced over and over
again is that governments should not be running the
telecommunications network. It has been a colossal waste of
money, colossal waste of energy, and it's not where we should
put our resources, particularly when we have private companies
who are willing to put up $300 billion to have all kinds of
competitive 5G networks. So it's not where we should put our
money.
Senator Cruz. In your judgment, is the E-Frontier Act the
right direction for this committee and Congress to go?
Dr. Layton. Absolutely.
Senator Cruz. Does anyone on the panel disagree? Does
anyone think that the Federal Government nationalizing 5G is a
good idea?
[No response.]
Senator Cruz. Secretary Chertoff, what are your thoughts on
the implications, if the Government were to try to nationalize
5G?
Secretary Chertoff. Well, again, I'm not sure exactly what
that would look like. I'm not sure exactly what that would look
like, but, in general, I think nationalization of a function
like that stifles innovation and puts the Government in a
position which overreaches in terms of what its proper role is.
Senator Cruz. Mr. Bladel, there has been considerable
attention devoted in Congress and in the national discussion to
the role of tech companies and social media companies engaging
in political censorship.
What do you think the role and what does GoDaddy think the
role should be of tech companies censoring the speech of
others?
Mr. Bladel. So thank you, Senator. I can't speak for the
entire industry but from GoDaddy's perspective, we do not want
to be an arbitrator of free speech. We don't believe that's an
appropriate role for us as a private sector company. We are
supporters of an open Internet that supports free expression
and welcomes all views.
That said, we do have Terms of Service for using our
platform for communication and there are some very specific
cases that would cause us to suspend or terminate service,
illegal activities, threats of violence, and pharmaceutical
sales and things that are called out in our Terms of Service.
So any content complaints that we receive are subject to a
case-by-case review and then we decide according to our Terms
of Service, but as a private sector company, we do not want
that role.
Senator Cruz. So I think you would not find disagreement
when it comes to shutting down criminal enterprises conduct
that clearly violates criminal law. What does obviously raise
questions is when it's not criminal conduct, it is simply
content that may be offensive, that may be wrong, but that is
not illegal, and then the question becomes who should be the
gatekeeper. Who decides what speech is permissible and what
speech is not.
Have there been instances in your company's history where,
because of disagreement with content, you have shut down access
to a website?
Mr. Bladel. So typically as part of that review, the
content would have to contain illegal materials or rise to the
level of a direct call for or threats of violence for us to
take action.
Senator Cruz. You obviously operate within the tech space.
Should social media companies, in your judgment, be neutral
public forums? Should they respect First Amendment principles
and allow, as John Stuart Mill put it, the cure for bad speech
to be more speech rather than a priori censorship?
Mr. Bladel. So in my view, and I think this is shared by
GoDaddy and other companies in our space, is that we want the
Internet to be as open and welcoming as possible for free
expression and that it's not the role of the platform to judge
content on whether it's offensive or whether it's allowable. It
should only be on those narrow cases of illegal materials.
Senator Cruz. Thank you.
Senator Wicker. Thank you very much, Senator Cruz.
Senator Klobuchar.
STATEMENT OF HON. AMY KLOBUCHAR,
U.S. SENATOR FROM MINNESOTA
Senator Klobuchar. Thank you very much, Mr. Chairman. Thank
you to all of you.
We have a Judiciary hearing going on. So I just snuck down
here and I want to thank you for your work.
As many of you know, I've worked, because of my role on
Judiciary and Rules and this Committee, I've worked really hard
on this issue and I really see this, what happened to us in the
last election, as a cyber attack and there are plenty of good
issues that were raised here by my colleagues about the power
grid and other things, but I want to focus on this, and I'll
start with you, Mr. Chertoff.
I know you mentioned the bill I have with Senator Lankford,
the Secure Elections Act, which would basically streamline
information-sharing between Federal and State agencies. It was
quite an outrage that our 21 states that were hacked and too
many of them didn't find out for a year and that way they can't
protect themselves because they don't know what other hack was
going on in another state.
So my first question is, do you think our states are
adequately prepared? You know, we got the $380 million out in
the last budget agreement, and what else should we be doing to
protect our voting equipment?
Secretary Chertoff. Well, I think there's greater
understanding now they have to get engaged and they have to get
engaged with DHS.
When I was at Aspen a couple weeks ago, I mean, the word we
got from DHS was that all the states to some degree are
engaging now, but to be honest, this ship is going to take
awhile to turn around.
You've got aging infrastructure in many places. I think
some states are not even fully aware of how much they're
connected to the Internet.
Senator Klobuchar. You also have 14 states that have either
no paper ballot or partial paper ballot.
Secretary Chertoff. Right. And that's going to require a
change in equipment and change in protocol.
So the short answer is we're not where we need to be. We're
moving in the right direction. We ought to press the
accelerator on this. I don't know that we're going to have this
problem fixed by 2018. I would be very doubtful, but certainly
we're going to have elections in 2020 and by then, we should
have had the problem fixed. So we've got to step it up.
Senator Cantwell. And what's Microsoft's Defending
Democracy Initiative doing to help state and local officials?
Secretary Chertoff. What they're trying to do is, and I
think it's a relatively new initiative, is work with a lot of
different groups to both help people understand what the
threats are--I mean, I think at a public forum we had in Aspen,
they indicated that in fact they identified some candidates
whose databases had been hacked.
I think raising awareness, sharing the information about
technical solutions, and working both in terms of raising the
game on infrastructure protection and more generally on
information operations. They're looking at kind of supporting
all these efforts.
Senator Klobuchar. And then also on the front of the
political ads, as you know, it wasn't just about elections and
candidates, it was also disrupting democracy with issue ads.
That's why I've introduced the Honest Ads Act with Senators
McCain and Warner.
Do you agree that it's important that we have uniform
standards across platforms for these ads?
Secretary Chertoff. Yes. Absolutely. It's crazy to say that
we can require for television ads or newspaper ads but not to
do it for platforms, and let me just add one other thing. This
is not just about elections.
I think that we are seeing and will continue to see Russian
efforts to motivate people to have civil disorder where they
get both groups on the right and the left to come to the same
place and they try to gin up violence.
Senator Klobuchar. Thank you. Those are the issue ads that
are included in our bill but some of the platforms are saying,
well, we should just do candidate ads, which is not the
standard for radio or TV or newspaper, and we've seen what they
were doing in energy issues and other things where they
actually had a financial interest, Russia did.
Secretary Chertoff. Yes.
Senator Klobuchar. And I think they've been overlooked
because of the obvious focus on the 2016 election.
Secretary Chertoff. That's exactly right.
Senator Klobuchar. OK. Dr. Layton, my last question here.
Over the last few years, we've seen personal information be
disclosed. We are proud of our social media and Internet
companies in the U.S. They're incredibly innovative and a lot
of smart people are working there, but yet even Mr. Zuckerberg
at his hearing has said that we need to put some rules of the
road in place. They don't have to be exactly what Europe did.
We can do our own.
Could you comment on the Social Media Privacy Protection
and Consumer Rights Act that Senator Kennedy and I introduced?
Dr. Layton. Well, you know, I want to applaud you for your
leadership and I think if anybody thinks Congress is not up to
task, you've proven them wrong. You know, you guys were very
quick to turn something around and I'm very grateful for that.
So, I mean, I think in this hearing, this is exactly the
steps that we need to take. In terms of--and this is the
conversation. It would be wrong to say, oh, you know, Europe
did this, let's hurry up and get our version. I think that's a
mistake. I think that this committee is going through the
necessary steps. It's taking the input from all the
stakeholders and, you know, I think my particular feedback
today is the two important components that we haven't included
that's very important is the consumer education component as
well as we need incentives for privacy-enhancing technologies
and that's why a safe harbor that would allow a company to
innovate a new technology, they wouldn't be punished for it,
for example, because we know the first time you make a version
of your product, it may not work, and so there's no kind of--we
need a safe harbor for that permissive innovation.
I think that your bill had a provision for that and I thank
you for that. I think ultimately we'll win this through
innovation, science and technology.
Senator Klobuchar. Thank you very much, and the rest of the
questions I will do on the record because I'm out of time, but,
Ms. Zheng, I did have a question about data localization and
the problems that creates and will just do that on the record,
and then, Mr. Painter, I'm sure I'll have some cyber attack
questions to ask you about.
So thank you very much.
Senator Wicker. Thank you, Senator Klobuchar.
I have a letter, dated today, to Senator Schatz and me,
from Pat Kane, Senior Vice President of Verisign, Incorporated,
and I ask unanimous consent to place it in the record at this
point. Without objection, that will be done.
[The letter referred to follow:]
July 31, 2018
Hon. Roger Wicker,
Chairman,
Subcommittee on Communications, Technology, and the Internet,
Committee on Commerce, Science, and Transportation,
Washington, DC.
Hon. Brian Schatz,
Ranking Member,
Subcommittee on Communications, Technology, and the Internet,
Committee on Commerce, Science, and Transportation,
Washington, DC.
Dear Chairman Wicker and Ranking Member Schatz:
Thank you for holding today' s hearing, which provides Committee
members the opportunity to explore important issues regarding the
global Internet and digital communications issues. Verisign is an
important stakeholder in the global Internet ecosystem. Our company
operates the critical infrastructure that helps keep the world's
digital economy online. We perform critical and unique services that
keep the Internet running. We publish the authoritative root zone file
daily, we operate 2 of the world's 13 root servers, we operate the
network infrastructure for the most important top-level domains, .com
and .net, and we are trusted to provide the back-end operations to the
United States government for the critical .gov TLD. We are proud that a
few weeks ago we marked our 21-year anniversary for operating the .com
and .net Domain Name System without any service interruption.
With this background in mind, we are writing to offer Committee
members our perspective--based on the company's 25-year history of
providing critical infrastructure services for the global Internet
community--on policy issues surrounding the domain name system (DNS),
and in particular, issues related to the Cooperative Agreement between
Verisign and the Department of Commerce. Arguments related to the
Cooperative Agreement arise in the written testimony of Mr. James
Bladel, GoDaddy's Vice President of Global Policy. That testimony does
not, however, adequately describe the vibrant and competitive landscape
in the DNS that has taken root after 25 years of U.S. Government policy
that established competition in the DNS as an important objective at
the dawn of the Internet era. We will help complete that record today.
While GoDaddy asserts that Verisign's share of the ``legacy generic
Top-Level Domains (gTLDs) is over 80 percent,'' this presents an
unrealistic and incomplete snapshot of the global DNS. Indeed, since
2012, roughly 20 million domains have been registered in other TLDs,
including new gTLDs (like .attorney and .bank) and ccTLDs (like .uk and
.de), all of which compete for registrations in this industry. In fact,
.com and .net make up only about 44 percent of the total world wide
registrations, a number that has been shrinking since the introduction
of new gTLDs by ICANN in 2012. Verisign is limited by regulation that
requires it to sell domain names only to accredited retailers at a
fixed price of $7.85. Verisign is also prohibited by regulation from
selling directly to consumers. These retailers, of which GoDaddy is by
far the dominant market power, sell to consumers and, because they are
unregulated, they sell domain names for any price they choose.
Furthermore, GoDaddy sets market prices both in the U.S. and abroad
unfettered by government or ICANN regulation.
Second, Mr. Bladel discusses the negative impact of .com pricing on
small business who are ``very sensitive to price increases'' and that
``any increase has the potential to suppress their ability to grow. . .
.'' Mr. Bladel however, does not disclose that GoDaddy sets the price
for domain names and that for many names, it charges prices that are
many thousands of times the wholesale price of $7.85. GoDaddy sets
these prices and charges consumers, including its small business
customers, the prices it believes the market will bear.\1\ In fact,
recently, GoDaddy has become one of the biggest players in the
secondary market--having bought hundreds of thousands of these domain
names so that it can sell them to consumers at prices far in excess of
their wholesale price of $7.85. Some estimate that the secondary market
exceeds $1.6 billion per year. Indeed, GoDaddy has a platform that it
uses and allows other to use to sell these domain names in addition to
the many hundreds of thousands of names it has already purchased. For
example, offered on GoDaddy's website today:
---------------------------------------------------------------------------
\1\ The benefits from the regulatory price caps on .com that
GoDaddy and others do not want changed have not been uniformly passed
on to consumers.
``Olemiss.com'' offered at $9,499 (Ole Miss is a registered
---------------------------------------------------------------------------
trademark of the University of Mississippi)
``BestUsedCars.com'' offered at $27,900
``Yoursenator.com'' offered at $9,999
``MariaCantwell.com'' offered at $9,888
``SenatorMarcoRubio.com'' offered at $5,000
``SenatorLee.com'' offered at $5,000
``SenatorCruz.com'' offered at $5,000
``Blackburn.com'' offered at $127,400
Third, Mr. Bladel recommends that the .com Registry Agreement
between ICANN and Verisign be ``put out for competitive bid.'' Again,
Mr. Bladel's testimony fails to disclose a critical fact and that is
that every single registry agreement with I CANN, not just .com but
over a thousand of other such agreements, contain a presumptive right
of renewal that requires I CANN to renew the agreement unless the
registry operator does not perform its obligations under the agreement.
As Mr. Bladel admits, there are ``no complaints'' with our performance
under this agreement and therefore, there is simply no basis to raise
this issue.
Finally, the Committee should recognize that Mr. Bladel's testimony
with respect to the Cooperative Agreement, could be seen as that of a
distributor who seeks to constrain the wholesale price \2\ of its best-
selling product in the name of consumers without acknowledging its own
substantial commercial interest in doing so, or its own practice of
reselling domain names at exorbitant prices. And while completely
ignoring the critical infrastructure services Verisign provides not
just to GoDaddy and its customers, but to Internet users world-wide,
who, for 21 straight years have had uninterrupted availability of our
networks in order to reach their online destinations.
---------------------------------------------------------------------------
\2\ Consumers can avoid any price increase in any lCANN top-level
domain by purchasing a ten=year registration as permitted under all
ICANN registry agreements.
---------------------------------------------------------------------------
Verisign thanks the Committee for the opportunity to provide this
perspective given our experience as a leading critical infrastructure
provider for global Internet services.
Sincerely,
Pat Kane,
Senior Vice President
VeriSign, Inc.
Senator Wicker. We are told that another distinguished
Member of the Committee may be on his way.
Senator Schatz, I think this has been a very excellent
hearing. Perhaps we can filibuster for another moment or two.
There are dozens of questions we could ask.
You know, Dr. Layton, are you speaking for AEI or on your
own behalf?
Dr. Layton. No. Thank you for giving me that opportunity to
clarify. As my submitted testimony shows that I do not
represent the positions of AEI or any other entity. I'm
speaking purely in my own capacity. I also am a visiting
researcher at Aalborg University in Copenhagen, Denmark. We
have a center that works on privacy and security research. So
my work is--I'm not speaking for that center but it is informed
by the research that we do there.
Senator Wicker. And, Ms. Zheng, you are speaking today on
behalf of Business Roundtable, are you not?
Ms. Zheng. That's correct, sir.
Senator Wicker. Yes. You know, I noticed that AEI published
an article just a few days ago with regard to the $5 billion EU
fine against Google and it stated that EU's record $5 billion
fine for antitrust violations involving its Android operating
system is protectionism masquerading as consumerism.
It strikes me that AEI's got a point there, Dr. Layton.
Dr. Layton. Well, AEI doesn't make any official positions.
We have many--we have over 200 scholars. We all have different
views. We have major debates within our organizations.
Sometimes we have more anger against each other than people
outside the AEI. So we actually take very disparate positions
because we believe in the competition of ideas.
Senator Wicker. Very good. Would anyone else like to
comment on that? Mr. Bladel.
Mr. Bladel. Senator, thank you, yes. I think that from our
perspective, it just shows what we're up against in terms of
the EU's willingness to impose fines on U.S. tech firms,
whether that's coming from this particular incidence, which is
involving mobile operating systems, or whether that's coming
from something like GDPR. It's one of the reasons why we're
proceeding very cautiously in our compliance efforts with
regard to those European regulations.
Senator Wicker. It seems that all is not well between our
Government and the EU.
The hearing record will remain open for two weeks. During
this time, Senators will be asked to submit any questions for
the record. Upon receipt, the witnesses are requested to submit
their written answers to the Committee as soon as possible.
Thank you all and this hearing is now adjourned.
[Whereupon, at 11:55 a.m., the hearing was adjourned.]
A P P E N D I X
Prepared Statement of Hon. Bill Nelson, U.S. Senator from Florida
Each day, around the world, billions of dollars in digital commerce
is conducted online. And that economic value does not take into account
the enormous social and political contributions the free and open
Internet has made--and continues to make--around the world.
The internet's vast success is intertwined with its fundamentally
global nature. Thanks to the work and cooperation of many around the
world, the Internet of today truly is borderless. A small business in
Florida can create a website and instantaneously sell products and
services all over the globe. A photographer along the Space Coast can
post images of the latest commercial space launch and inspire
schoolchildren in faraway lands. A researcher at a Florida college or
university literally has at her fingertips the collected knowledge of
all of history--whether that knowledge resides in Europe, Africa or
Asia. And any of the millions of citizens of my home state can stay in
touch with friends and relations around the world through social media,
e-mail, and many other internet-based platforms.
But we cannot take for granted that the Internet of today will be
the Internet of tomorrow.
First, nefarious actors continue to exploit the global Internet to
harm democracy, human rights and trade. Each day it seems we uncover
new information about election meddling and disinformation campaigns by
state and non-state actors targeting the heart of our democracy. Cyber-
attacks are becoming a daily occurrence--many of which are launched by
our foreign adversaries. We know for a fact that these cyber-attacks
have penetrated critical parts of our infrastructure and economy--
including major defense contractors, international corporations, and
our power grid.
Second, many countries around the world are adopting policies that
threaten to fragment the global internet. Of course, each nation bears
a solemn responsibility to protect its citizens from harm--including
the unique harms to privacy and security that come from the internet.
But when those restrictions are used for digital protectionism or to
harm international competition, they start to unravel the global
internet.
Our country must continue to defend the free and open internet,
which depends on the ongoing successful multistakeholder approach to
international Internet governance. But to defend today's Internet from
fragmentation, it requires diplomacy and international engagement on
these issues at the highest level. Yet we stand at a time when the
budget of the State Department has been slashed, when our cyber-
diplomatic core has been decimated, and when our Nation's relationships
with our traditional allies (allies that in the past have supported our
approach to international Internet governance) are increasingly
strained.
We must redouble our efforts to defend a free and open Internet
throughout the world. We cannot stand for gatekeeper control to the
internet--even more so when a nation is trying to undermine the value
of the Internet as a platform for digital commerce and information
exchange. I am glad our witnesses are here today to reaffirm the need
for the U.S. to be at the table in international fora on Internet
governance and to engage in productive bilateral and multilateral
conversations on the future of the Internet with our international
partners. Failing that, I fear that the transformative and equalizing
benefits of the Internet we have seen in the last two decades could be
undone.
______
CreativeFuture
July 17, 2018
Hon. Chuck Grassley, Chairman,
Hon. Dianne Feinstein, Ranking Member,
Senate Committee on the Judiciary,
Washington, DC.
Hon. John Thune, Chairman,
Hon. Bill Nelson, Ranking Member,
Senate Committee on Commerce, Science, and Transportation,
Washington DC.
Dear Chairmen and Ranking Members:
We, the undersigned, are creatives who make our living in the
entertainment industries. Whether we work in film, television,
publishing, music, or photography, we and our colleagues have all been
affected by the rampant, illicit activity that occurs on the major
Internet platforms, including Google and Facebook.
There has been growing concern in Washington, in the press, and
among Americans about the lack of responsibility exercised by the major
Internet platforms toward harmful and illegal activity taking place on
their services.
For decades, online gatekeepers like Facebook and Google have
turned a blind eye to the proliferation of widespread societal harms on
their platforms. From sex trafficking to foreign influence over our
elections, from privacy to piracy, it has become increasingly clear
that more needs to be done to ensure platform responsibility.
In recent hearings in both the House and the Senate, Facebook's
CEO, Mark Zuckerberg, characterized Silicon Valley's failure to take an
appropriately broad view of its responsibility as a ``big mistake.''
But whether the lack of responsibility was a ``mistake'' or something
else, the failure of Facebook, Google, and others to take
responsibility is rooted in decades-old government policies, including
legal immunities and safe harbors, that treat these companies
differently than other industries and actually absolve internet
platforms of responsibility.
This must change. As long as these companies are allowed to
continue to operate in a policy framework that prioritizes their growth
and wealth over accountability, American creativity will be harmed
along with many other important societal interests.
Google needs to join Mr. Zuckerberg in stepping forward and
embracing a broader view of its responsibility. But the real problem is
not any one company. The problem is endemic in a system that applies a
different set of rules to the Internet because it's ``exceptional,''
and utterly fails to impose ordinary norms of accountability on
Internet businesses that are built around monetizing the content of
others.
We want to sincerely thank you and your colleagues for asking
Facebook to testify--and Google should be next up to the microphone. We
understand that Google has been invited to appear. This problem will
continue to affect millions of Americans, both in their day-to-day
lives and in their pocketbooks, until action is taken to correct it.
It's long past time to hold Google, Facebook, and other Internet
platforms responsible for their actions and inactions that hurt
consumers, creativity, and the American economy.
Sincerely,
Pamela Abdy
Makeready
Executive Producer: Kill the Messenger
Producer: Garden State, Identity Thief
Gina Amoroso
Co-Producer: Revolutionary Road
Dave Andron
Executive Producer: Justified, Snowfall
Eli Attie
Co-Executive Producer: House, M.D.
Producer: The West Wing
John Baldecchi
Digial Riot Media
Executive Producer: Happy Death Day
Producer: Conan the Barbarian, Point Break
George Bamber
Director: Hit the Floor
Assistant Director: S.W.A.T.
Chris Baumgarten
Producer: All I See is You, The Forgiven, Shattered Glass
Co-Producer: Hook
Peter Baxter
President and Co-Founder, Slamdance Film Festival
Susan Becker
Costume Designer: Father of the Bride, Flatliners, True Romance
Harold Becker
Director: Malice, The Onion Field, Sea of Love
Larry Becsey
Partner, Intellectual Property Group
Steve Beeks
NEXT Entertainment
Betsy Beers
Executive Producer: For the People, Grey's Anatomy, How to Get Away
with Murder, Station 19
Alec Berg
Executive Producer: Barry, Silicon Valley
Albert Berger
Bona Fide Productions
Producer: Election, Little Miss Sunshine, Nebraska
Claire Best
Claire Best & Associates
Tony Bill
Director: Flyboys
Executive Producer: Going in Style
Producer: The Sting
Jason Blum
Blumhouse
Bill Borden
Executive Producer: High School Musical, Kung Fu Hustle
Producer: El Mariachi, End of Days, La Bamba
Marty Bowen
Temple Hill Entertainment
Producer: First Man; The Fault in Our Stars; Love, Simon; The Maze
Runner Trilogy; Uncle Drew
Chris Brancato
Co-Creator: Narcos
Mark Burg
Producer: Saw, Saw II, Saw III, Saw IV, Saw V, Saw VI, Saw VII
Executive Producer: Anger Management, Two and a Half Men
Allison Burnett
Writer, Director, Producer, Executive Producer: Ask Me Anything
Writer: Autumn in New York
Eric Cady
Senior Counsel, Independent Film & Television Alliance
Alessandro Camon
Executive Producer: Wall Street: Money Never Sleeps
Writer: The Messenger
Benedict Carver
Eclipse Pictures, Inc.
Executive Producer: Eye in the Sky, Map to the Stars, Winchester
Jon Cassar
Executive Producer: 24, Forsaken
Director: 24, Forsaken, Fringe, Medici: The Magnificent, The Orville,
Revolution
Cotty Chubb
Producer: The Dinner, Eve's Bayou, Pootie Tang
Dylan Clark
Dylan Clark Productions
Producer: Planet of the Apes Trilogy
Jane Clark
Film McQueen
Producer: Elena Undone
Director, Editor, Producer, Writer: Crazy Bitches, Meth Head
Tena Clark
CEO, DMI Music
Author: Southern Discomfort
Susan Cleary
Vice President & General Counsel, Independent Film & Television
Alliance
Christopher Cleveland
Writer: Glory Road; McFarland, USA
Bruce Cohen
Producer: American Beauty, Milk, Silver Linings Playbook
Charlie Corwin
Founder, Corwin Media
Executive Producer: Dual Survival, Half Nelson
Producer: The Squid and the Whale
Julie Costanzo
Co-Producer: Miss Representation
Producer: Adventure Divas, The Virgin Suicides
Cindy Cowan
Executive Producer: Red Lights, Savior
Producer: Very Bad Things
Pierce Cravens
Metropolitan Entertainment
Theatre Producer: Oh, Hello
Producer: Concrete Kids, This Isn't Funny
Kirk D'Amico
President, Myriad Pictures
Producer: The Last Word
Executive Producer: Kinsey, Margin Call, Van Wilder
Martha De Laurentiis
Producer: Hannibal, Red Dragon, U-571
Donald De Line
Producer: I Love You, Man; The Italian Job; Ready Player One
Chip Diggins
Producer: Nancy Drew and the Hidden Staircase, A Walk in the Woods
Joshua Donen
Producer: Gone Girl, The Quick and the Dead
Executive Producer: House of Cards, Mindhunter, Spartacus
Dennis Dugan
Director: Big Daddy, Grown Ups, I Now Pronounce you Chuck & Larry, You
Don't Mess with the Zohan
Cassian Elwes
Producer: Dallas Buyers Club, Mudbound
Executive Producer: Lee Daniels' The Butler, Margin Call
Clay Epstein
President, Film Mode Entertainment
Blye Faust
Rocklin | Faust
Producer: Spotlight
Adam Fields
Producer: Brokedown Palace, Donnie Darko, The Wedding Ringer
Wendy Finerman
Producer: The Devil Wears Prada, Drumline, Forrest Gump, P.S. I Love
You
Cesar Fishman
Senior Vice President of Communications, CreativeFuture
John Flock
Executive Producer: The Good Shepherd
Producer: Bullet, Fortress
Christopher Floyd
Chief Operating Officer, Amblin Partners
Gary Foster
Producer: Daredevil, Ghost Rider, Sleepless in Seattle
Lucas Foster
Producer: Jumper, Man on Fire, Mr. and Mrs. Smith
Anne Marie Fox
Still Photographer: Dallas Buyers Club, Lee Daniels' The Butler, Sharp
Objects, The Zookeeper's Wife
Kevin Goetz
Founder and CEO, Screen Engine/ASI
Neil Goetz
Executive Creative Director, The Engine Room
Co-Director of Development and Acquisitions, BBMG Entertainment
Norman Golightly
Executive Producer: Ghost Rider, The Sorcerer's Apprentice
Producer: Lord of War
Keith Gordon
Sidetracked Productions Inc.
Director: Better Call Saul, Fargo, Homeland, The Leftovers, Legion, A
Midnight Clear, Mother Night, Waking the Dead
Mark Gordon
Entertainment One
Executive Producer: Quantico, Grey's Anatomy, Designated Survivor,
Criminal Minds, Ray Donovan
Producer: The Nutcracker and the Four Realms, Murder on the Orient
Express, Saving Private Ryan, Speed
Michael Gracey
Director: The Greatest Showman
Don Granger
Skydance Media
Executive Producer: Geostorm
Producer: Jack Reacher, Jack Reacher: Never Go Back, Mission
Impossible: Rogue Nation
Bonnie Greenberg
Co-Producer/Music Supervisor: The Hunting Ground
Executive Music Producer: RBG
Music Supervisor: How The Grinch Stole Christmas, My Best Friend's
Wedding
Jeffrey Greenstein
Co-President, Millennium Media, Inc.
James V. Hart
Writer: August Rush, Bram Stoker's Dracula, Contact, Hook
Founder, HartChart
Lisa Henson
CEO, The Jim Henson Company
Patricia Herskovic
Producer: Deadly Blessing, Mother's Boys, Toy Soldiers
Author: Escape to Life
Marshall Herskovitz
The Bedford Fall Company
Producer/Writer: The Last Samurai
Producer: Blood Diamond, Legends of the Fall
Executive Producer: Thirtysomething, My So-Called Life
David Hoberman
Mandeville Films
Producer: Beauty and the Beast, The Fighter, The Muppets, The Proposal,
Wonder
Matthias Hoene
Director: Cockneys vs Zombies, Enter the Warriors Gate
Gale Anne Hurd
Valhalla Entertainment
Executive Producer: Fear The Walking Dead, Lore, The Walking Dead
Producer: Aliens, The Terminator, Terminator 2: Judgment Day,
Terminator 3: Rise of the Machines
Allison Jackson
Founder and CEO, The Allison Jackson Company
Jon Jashni
Raintree Ventures
Executive Producer: Lost in Space
Producer: Godzilla, Kong: Skull Island, Pacific Rim, Warcraft
Dan Jinks
Producer: American Beauty, Big Fish, Milk
Ryan Kavanaugh
Producer: Mirror Mirror
Executive Producer: The Fast and the Furious: Tokyo Drift, Little
Fockers, Talladega Nights: The Ballad of Ricky Bobby
Brad Kembel
Executive Vice President, Distribution & Operations, Global Road
Entertainment, LLC
Tim Kittleson
Director, UCLA Film & Television Archive (ret.)
Jason Kliot
Open City Films
Producer: Coffee & Cigarettes, Enron: The Smartest Guys in the Room,
Redacted
Executive Producer: Bubble, Capernaum, Lovely & Amazing
Hawk Koch
Former President, Academy of Motion Picture Arts and Sciences
Executive Producer: Heaven Can Wait, Primal Fear, Source Code, Wayne's
World
Tony Krantz
Flame Ventures
Executive Producer: 24
Producer: Mulholland Drive
Adam Krentzman
Executive Producer: The Domestics, Elephant Tales, Oh My God
John Krokidas
Director: American Crime, Kill Your Darlings
Michelle LeClair
Author, Speaker, CCO, LeClair Beauty
Author: Perfectly Clear
Mark Leibowitz
President, Leibowitz Pictures
Adam Leipzig
Producer: Plastic Ocean
Co-Producer: Titus
Peter Lenkov
Executive Producer: Hawaii Five-0, MacGyver, Magnum P.I., Salvation
Harry Lennix
Actor: The Blacklist, Man of Steel, The Matrix Reloaded, Matrix
Revolutions
Avi Lerner
Chairman and CEO, Millennium Media, Inc.
Todd Lieberman
Mandeville Films
Producer: Beauty and the Beast, The Fighter, The Proposal, Wonder
Michael London
Groundswell Productions
Executive Producer: Confirmation, Milk
Producer: Sideways
Laurence Mark
Producer: Jerry Maguire; I, Robot; Dreamgirls; Julie & Julia; The
Greatest Showman
Ron Maxwell
Writer/Director: Copperhead, Gettysburg, Gods & Generals
Craig Mazin
Writer: The Hangover Part II, Identity Thief
Mary Mazzio
50 Eggs Films
Director/Producer: I Am Jane Doe, Apple Pie, The Apple Pushers, A Hero
for Daisy, TEN9EIGHT, Underwater Dreams
Nat McCormick
Executive Vice President of Sales & Distribution, The Exchange
Michael Menchel
Producer: One Chance, Only the Brave
Executive Producer: Ain't Them Bodies Saints
Tory Metzger
Executive Producer: Arrival
Producer: The Forest
Gev Miron
Co-Founder and Creative Director, MVH CreativeWorks
Bobby Moses
Mavrick Artists Agency
Eric Newman
Screen Arcade
Executive Producer: Narcos
Producer: Bright, Children of Men
Rick Nicita
RPMedia Producer, Former Co-Chairman of Creative Artists Agency
Jerry Offsay
Executive Vice President, Hamburger Hill
Executive Producer: As Seen Through These Eyes, Eight Men Out, Six
Dance Lessons in Six Weeks
MJ Peckos
President, Dada Films
Executive Producer: Burning Secret, Paper House
Maggie Phillips
Music Supervisor: The Handmaid's Tale, Moonlight
Pamela Pickering
Berlin International Film Festival Delegate, Former Chairman of IFTA
Lou Pitt
CEO, The Pitt Group and Alton Road Productions
Producer: The Exception, Hollywood Homicide
David Poland
President, Outside Voice
Gavin Polone
Pariah
Executive Producer: Curb Your Enthusiasm
Producer: Zombieland
Dawn Prestwich
Executive Producer: Carnivale, Flashforward, The Killing, The Riches,
Z: The Beginning of Everything
Jean Prewitt
CEO, Independent Film & Television Alliance
John Ptak
Owner, Arsenal Films
Executive Producer: Let Me In, The Way Back
Samantha Ramirez-Herrera
Founder, Offtharecord Inc.
Linda Reisman
Producer: Leave No Trace
Executive Producer: The Danish Girl
JB Roberts
Partner, Thruline Entertainment
Doug Robinson
Executive Producer: Breaking In, The Goldbergs, Rules of Engagement
Lise Romanoff
Managing Director/CEO, Vision Films, Inc.
Karen Rosenfelt
Producer: Max, Me Before You, The Twilight Saga: Breaking Dawn--Part 1,
The Twilight Saga: Breaking Dawn--Part 2, The Twilight Saga: Eclipse,
The Twilight Saga: New Moon
Executive Producer: Twilight
Howard Rosenman
Producer: Call Me By Your Name, The Family Man, Father of the Bride
Danny Rosett
Executive Producer: Capote
Eric Roth
Executive Vice President of Business Affairs, New Regency Productions
Aaron Ryder
Co-President of Production & Acquisitions, FilmNation Entertainment
Producer: Arrival, Transcendence
Nina Sadowsky
Author: The Burial Society, Just Fall
Executive Producer: The Wedding Planner
Robin Sax, JD & MSW
Law Offices of Robin Sax
Teddy Schwarzman
Producer: The Imitation Game, Mudbound
Lloyd Segan
Partner, Piller/Segan
Keri Selig
President and Founder, Intuition Productions
Executive Producer: The Kennedys After Camelot, The Secret Life of
Marilyn Monroe, The Stepford Wives
Jeff Sharp
Producer: Boys Don't Cry, The Yellow Birds You Can Count on Me
Stacey Sher
Producer: Django Unchained, Erin Brockovich, The Hateful Eight, Into
the Badlands, World Trade Center
Jon Shestack
Producer: Air Force One, Before I Fall, Dan in Real Life
Meyer Shwarzstein
CEO, Brainstorm Media
Sigurjon (Joni) Sighvatsson
Palomar Pictures
Producer: Killer Elite, The Weight of Water
Executive Producer: Arlington Road, Wind River
Paul Alan Smith
Founder, Equitable Stewardship for Artists
Ellen Steloff
Executive Director and Founder, Rabbit Hole Screenings
Executive Producer: Dream A Little Dream, Far From Home, A Gnome Named
Norm, The Underachievers
Michael Sucsy
Director: Every Day, Grey Gardens, The Vow
Michael Sugar
Sugar23
Producer: Spotlight
Executive Producer: The Knick, The OA
Kurt Sutter
Executive Producer: Sons of Anarchy, Mayans M.C., The Shield
Executive Producer and Writer: Southpaw
Andrew Tennenbaum
Producer: Water for Elephants
Co-Producer: The Bourne Identity, The Bourne Legacy, The Bourne
Supremacy, The Bourne Ultimatum, Jason Bourne
John Toll, ASC
Director of Photography: Almost Famous, Braveheart, Cloud Atlas, The
Last Samurai, Legends of the Fall, The Rainmaker, The Thin Red Line,
Vanilla Sky
Bob Tourtellotte
Film McQueen
Executive Producer: Crazy Bitches, Meth Head
Jeff Vespa
Vespa Pictures
Hunter Via
Editor: The Chi, Snowfall, The Walking Dead
Michele Vice-Maslin
Sweetersongs & Mob Force Productions
Songwriter: Blue Bloods, Downsizing, Guiding Light
Joana Vicente
Executive Director, Independent Filmmaker Project (IFP)
Ruth Vitale
CEO, CreativeFuture
Executive Producer: American Crime, Don Juan DeMarco, Gummo
Nick Wechsler
Nick Wechsler Productions
Producer: Magic Mike, The Road
Robert B. Weide
Director/Executive Producer: Curb Your Enthusiasm, Mr. Sloane
Producer/Writer: Mother Night
Writer: The Giver
Chris Weitz
Writer: Cinderella, Rogue One: A Star Wars Story
Director: A Better Life, The Twilight Saga: New Moon
Ron West
Partner, Thruline Entertainment
Brett Williams
Senior Vice President of Public Affairs, CreativeFuture
Frank Wuliger
Partner, The Gersh Agency
Janet Yang
Executive Producer: The Joy Luck Club
Producer: The People vs. Larry Flynt
Ron Yerxa
Bona Fide Productions
Producer: Election, Little Miss Sunshine, Nebraska
Graham Yost
Executive Producer: Justified
Writer: Speed
Jonathan Yunger
Co-President, Millennium Media, Inc.
______
Response to Written Question Submitted by Hon. Roger F. Wicker to
Hon. Michael Chertoff
Question. What is your experience with the WHOIS database from a
cybersecurity perspective and can you comment on its importance in this
regard?
Answer. An unexpected side-effect of Europe's adoption of the
General Data Protection Regulation (GDPR) was the decision of the
Internet Corporation for Assigned Names and Numbers (ICANN) to redact
some registration information from its WHOIS database. ICANN is the
non-profit organization that manages the global domain name system,
which acts as a sort of address book or telephone book for the
internet, directing users to specific servers based on the domain name
information that they enter into their browser. This allows end users
to type in the domain www.whitehouse.gov rather than having to memorize
the specific server address associated with the White House's public
website, which could be a series of up to 32 alpha-numeric characters.
ICANN's WHOIS database allows for the pubic, and security researchers,
to look up key information about individual domains, including who
registered or controls them.
ICANN has interpreted GDPR as requiring the redaction of several
fields of data traditionally included in WHOIS data, including the name
of the person who registered the domain, their phone number, physical
address, and e-mail address. While this information is not always
publicly available through WHOIS (and can be of dubious quality) as a
result of varying practices from various domain name providers, this
data can be very useful to researchers, criminal investigators, and
other parties seeking to investigate potential cybercrimes or malicious
activity associated with a specific domain (which may, for example, be
used to mimic a major retailer in order to steal user credentials or
serve as a command and control server for malicious software). As a
result of this change, ICANN has proposed creating an ``accreditation''
system to restore access to this information to law enforcement and
researchers. It has yet to fully develop such a system and has
indicated that it would be ready until at least December 2018. It would
then likely take several months for domain providers to adopt the new
system.
As a result, for at least the next few months, researchers and law
enforcement will be unable to utilize a tool that has historically been
useful in shutting down cyber criminal enterprises and in the conduct
of cyber criminal investigations. I would encourage ICANN to move
quickly to remedy the problem and restore access to this information to
both law enforcement and researchers in order to help them combat cyber
criminal activity.
______
Response to Written Questions Submitted by Hon. Catherine Cortez Masto
to Hon. Michael Chertoff
Question 1. There are nearly a quarter of a million small
businesses in Nevada. They're working to try to navigate the
increasingly complex cyber world and I hear a lot from them about
cybersecurity and other Internet issues.
Can you talk about GDPR, as well as other international
regulations, and how we can ensure that small businesses have the tools
to navigate these as well as rules that are being put in place at the
state level?
Answer. Certainly, such regulations can be difficult for small
businesses to deal with. Often companies lack the in-house resources
and expertise to develop a strong understanding of their requirements
and the steps that may be needed to implement required changes. This is
particularly true if a small business does all of its own in-house data
management and processing. However, many small businesses rely upon
third-party vendors for data management and processing, meaning that
their compliance is effectively handled by that vendor. Many cloud
vendors, for example, have marketed their products to smaller
businesses by highlighting their in-built GDPR compliance, such as data
management and security capabilities that meet EU standards. It is also
worth noting that many small businesses in the U.S. are unlikely to be
impacted by international regulations as their customers are located
exclusively in the United States.
State-level regulations in the U.S. are likely to have a much
larger impact on small businesses, just as varying state sales tax
regimes do. The one advantage of GDPR is that it has created a single
standard and compliance regime for all 28 EU member countries, and
arguably for the slightly larger number of European countries in the
European Economic Area (EEA). The prospect of fifty different state-
level data security and privacy regulations is far more daunting and
potentially impactful for U.S. small businesses, which are far more
likely to conduct business across state lines than they are across
international borders. While many are likely to rely upon their third-
party vendors to aid them in their compliance with such requirements,
the possibility of fifty different regulatory regimes and the magnitude
of potential business impact makes the scale of the issue much greater
for small businesses. As I indicated in my earlier testimony, I would
encourage policy makers to work toward a single, national regime with
robust data security and privacy protections rather than allowing a
patchwork of state-level requirements to develop.
Question 2. Countries and increasingly imposing data localization
requirements, which require companies that collect personal data to
store it on servers within the geographic boundaries of the country, as
a requirement for companies to do business there.
Are there logistically feasible ways for American entities to
process data internationally with the data localization polices that
were discussed at the hearing?
Answer. It may be feasible for certain companies to comply with
such requirements in certain instances. For example, Microsoft has
built a data center in Germany with a local partner to comply with some
initial data-localization requirements. This is unlikely to have a
major impact on their business given the size of the German market and
the likelihood that the company would need in any event to build at
least one, if not several, data centers in the country to offer its
cloud services to customers in that country while maintaining a high
level of service. That said, a smaller provider may not have the volume
of business in Germany to justify constructing a dedicated data center
in that country, potentially making it infeasible for them to operate
there. This could pose a significant barrier to entry for new market
entrants.
These calculations also change if you consider a smaller country,
such as Luxembourg, or a series of smaller countries geographically
proximate to one another. For example, the Baltic countries (Estonia,
Latvia, and Lithuania) taken together may be a large enough market to
justify a company such as Google or Amazon building a data center to
serve all three countries, perhaps constructing the data center in
Estonia. However, if each country were to have its own data
localization requirements a provider would be expected to build a data
center not just in Estonia, but in Latvia and Lithuania as well. Such a
change could make it economically infeasible for the provider to offer
its services in all three countries.
Question 3. How does this impact academia or the private sector?
Answer. These requirements generally do not distinguish between
sectors and, as such, they would impact both the academic and private
sectors. In the academic world, such requirements could make
collaborative research extremely difficult, if not impossible, limiting
the ability for researchers to transfer data between collaborators in
different countries or process research data from country A in country
B. For the private sector, such requirements could effectively prevent
foreign companies from operating in a country with these requirements
as they could prove so costly as to be a barrier to entry.
Question 4. With the various data localization laws taking effect,
can you discuss whether those typically explicitly forbid data transfer
over national borders or would they allow a country, Germany for
example, to host data on German made servers in a neighboring country?
Answer. The most stringent of these requirements effectively
prohibit the transfer of data belonging or relating to a citizen of the
country to an entity or location outside of that country's physical
borders. I am unaware of any existing or proposed requirements that
would allow for the transfer of affected data outside the country
provided that the transfer was to servers manufactured within the
country. Instead the EU, and some countries outside the EU, have only
allowed for data to be transferred beyond their jurisdiction when the
company conducting the transfer and the country to which the data is
being transferred agree to store and process the data in a manner that
complies with their own domestic requirements. For example, the US-EU
Privacy Shield Agreement, and the preceding Safe Harbor agreement,
require U.S. companies and the U.S. Government to ensure that all
European data transferred to the U.S. is handled in a manner consistent
with EU data protection requirements.
Question 5. Additionally, if a U.S. company, for example, was
expected to store data on a data center in a country like China, would
it be mandated to use Chinese materials or technology in the
construction of the data center? Please answer generally with respect
to the multitude of data localization laws.
Answer. It certainly is possible that a country could have such a
requirement, but practically speaking, few countries have a domestic
industry capable of supporting such a requirement. China, specifically,
is where a large volume of technology components used in cloud
computing are manufactured, so it would be relatively easy for Chinese
authorities to mandate the use of servers or other components
manufactured in country. Frankly, supply-chain risks associated with
the widespread use of technology components manufactured in China is a
serious concern across the U.S. technology and national security
sectors and merits a much broader and in-depth discussion.
Question 6. The EU-U.S. Privacy Shield is a program that allows
companies to transfer personal data to the United States from the
European Union (EU) in a way that is consistent with EU law. However,
the European Parliament passed a non-binding resolution in July
claiming the United States was not complying with European law and
called on the European Commission to suspend Privacy Shield by
September 1 ``unless the U.S. is fully compliant.''
What would the impact to U.S. businesses be if the EU Commission
suspends Privacy Shield?
Answer. The suspension of the Privacy Shield agreement would likely
have an impact similar to that seen when the European Court of Justice
(ECJ) effectively suspended Privacy Shield's predecessor, Safe Harbor,
through its ruling in the Schrems case. That is, it would create
significant uncertainty for U.S. providers operating in Europe and
leave them in a legal limbo as they sought to comply with EU data
protection requirements via alternative means, such as binding
corporate rules or standard model clauses.
For the largest U.S. technology providers, the impact would likely
be limited as these companies, Google, Microsoft, and Amazon, for
example, already have these alternative means of compliance in place.
However, the impact on smaller providers would be much greater. Binding
corporate rules can be difficult to implement and standard model
clauses can present legal issues to some companies. Smaller companies
are also unlikely to have the in-house expertise needed to achieve
compliance through these alternative means, increasing their costs and
potentially disrupting their operations.
It seems likely that the European Commission will seek some sort of
renegotiation of Privacy Shield with the U.S. to ensure it properly
reflects GDPR's requirement. Max Schrems, the plaintiff in the earlier
court case that led the ECJ to effectively invalidate Safe Harbor, has
already filed a challenge to Privacy Shield claiming it does not
adequately protect European's privacy rights under GDPR. The case will
ultimately need to make its way through European courts and back to the
ECJ, meaning that there will be some level of uncertainty surrounding
Privacy Shield's future for at least several years.
______
Response to Written Questions Submitted by Hon. Jon Tester to
Hon. Michael Chertoff
Question 1. Many members of the panel mentioned the United States
needs to step up our level of engagement and join other like-minded
countries. In your opinion, which countries closest align with our
values on Internet freedom, privacy, and Internet of Things?
Answer. Our traditional allies are the countries who are most like-
minded on these issues. The United Kingdom, Canada, Australia, and New
Zealand (the so-called ``Five Eyes'') are the most closely aligned with
the U.S. on these issues. The countries of the EU are also similarly
minded but have differing views on what constitutes privacy and how to
balance those rights with others, such as free speech. As such, we are
unlikely to find easy agreement on issues such as ``the right to be
forgotten.'' Other traditional allies, such as Japan, South Korea, and
Taiwan, also share broadly similar views.
Question 2. What forum (e.g., the United Nations, NATO, etc.) do
you recommend for facilitating an international discussion on rules and
definitions?
Answer. Unfortunately, there isn't an ideal forum for such a
discussion currently. NATO and other security alliances made up of
like-minded countries are focused on more traditional security needs
and are ill-suited for this type of a discussion and effort. Broader-
based organizations, such the UN, include a much wider variety of
countries, many of whom do not share our values or views on data
privacy and security, and as such would oppose our efforts. I believe
that bi-lateral or multi-lateral efforts outside of these
organizations, or the creation of a new organization, to be the likely
path forward on these issues. A number of nongovernmental
organizations, including the Global Commission on the Stability in
Cyberspace, on which I serve, continue to examine and work on these
issues and could be the basis for broader discussion between interested
countries on these issues.
Question 3. Before the United States can lead the charge
international, we must unify our own ``rules of the road.'' Does such a
forum currently exist, to your knowledge? How has private industry in
the U.S. tried to tackle how we define the rules of the road when it
comes to Internet security and governance? Which U.S. governmental
agency would you recommend take the lead and represent the United
States in international discussions?
Answer. I do not believe that we have such a consensus in the
United States on these issues at this time. Conversations on these
issues have taken place in a variety of forums, including the Aspen
Security Conference and RSA. To date, private industry has generally
avoided making specific proposals on these issues, though several have
begun to move in this direction having recognized the need for action.
Microsoft's Brad Smith, for example, has proposed a ``Digital Geneva
Convention'' to help establish these types of rules. The varying
business models and interests of major U.S. technology companies makes
it difficult for U.S. technology companies to reach their own consensus
on these issues. I believe that Congressional action and Executive
leadership will be needed in order to establish such rules. Perhaps
Congress could establish a Commission to study and make comprehensive
recommendations.
In terms of international discussions, I certainly see the U.S.
State Department as the agency that will need to take the lead, with
support in such discussions coming from the Departments of Commerce,
Homeland Security, and Defense as well as the intelligence community.
______
Response to Written Question Submitted by Hon. Roger F. Wicker to
James Bladel
Question. Mr. Bladel, the EU's General Data Protection Regulation
was intended to apply only to EU citizens (natural persons). What is
GoDaddy doing to preserve open and free access to as much of the WHOIS
record as possible by differentiating between those individuals covered
by the EU's GDPR and those who are not?
Answer. When the European Union's General Data Protection
Regulation (GDPR) took effect on 25 May 2018, GoDaddy redacted the
published WHOIS data for all impacted customers according to ICANN's
Temporary Specification (https://www.icann.org/resources/pages/gtld-
registration-data-specs-en).
This redaction only applied to those records that we determined, to
the best of our knowledge, represented natural persons who were covered
by GDPR, or equivalent privacy laws. We did not redact records that
clearly represented organizations, or with mailing addresses outside of
these regions.
GoDaddy estimates that we have redacted less than 20 percent of
WHOIS records in order to comply with GDPR.
______
Response to Written Questions Submitted by Hon. Catherine Cortez Masto
to James Bladel
Question 1. Countries and increasingly imposing data localization
requirements, which require companies that collect personal data to
store it on servers within the geographic boundaries of the country, as
a requirement for companies to do business there.
Are there logistically feasible ways for American entities to
process data internationally with the data localization policies that
were discussed at the hearing?
Answer. While it is technically possible to create localized
instances for data processing, this approach creates significant
operational costs and complexities that could prohibit us from serving
certain markets. Additionally, localization requirements disrupt our
ability to provide a uniform experience to our customers across our
product offering.
Question 2. How does this impact academia or the private sector?
Answer. I'm not able to characterize the impact on academia, and
believe that our response to Question 1 would be applicable for most
private sector companies. Generally, the aggregate effect of these laws
is to favor local providers (or affiliates) over American firms.
Question 3. With the various data localization laws taking effect,
can you discuss whether those typically explicitly forbid data transfer
over national borders or would they allow a country, Germany for
example, to host data on German made servers in a neighboring country?
Answer. Some countries (e.g., China) have strict requirements that
all data is processed and retained locally. Other countries allow for
international data sharing under certain conditions. For example, under
GDPR Germany would allow user data to ccbe transferred within the
European Union, or to countries recognized to have an equivalent data
protection framework. Currently, transfers from the EU to the U.S. are
allowed under the Privacy Shield agreement.
Question 4. Additionally, if a U.S. company, for example, was
expected to store data on a data center in a country like China, would
it be mandated to use Chinese materials or technology in the
construction of the data center? Please answer generally with respect
to the multitude of data localization laws.
Answer. I am not aware of localization laws that require us to use
domestic equipment or technology. And while laws vary across countries,
we have encountered localization requirements (actual or proposed) that
would obligate us to:
Establish a local presence or entity
Use a local bank or law firm
Obtain a license or permit from the local government (with
various obligations)
Provide local authorities with regular reports or privileged
access to data or records
Question 5. The EU--US Privacy Shield is a program that allows
companies to transfer personal data to the United States from the
European Union (EU) in a way that is consistent with EU law. However,
the European Parliament passed a non-binding resolution in July
claiming the United States was not complying with European law and
called on the European Commission to suspend Privacy Shield by
September 1 ``unless the U.S. is fully compliant.''
What would the impact to U.S. businesses be if the EU Commission
suspends Privacy Shield?
Answer. The loss of Privacy Shield would significantly disrupt our
ability to process the data of our customers in the EU, and reliably
deliver the products they have purchased from us. We note that the
September 1 deadline has passed, but the EU has not taken any steps to
suspend Privacy Shield. But because of the potential impact to our
business, we are closely monitoring these developments.
______
Response to Written Questions Submitted by Hon. Jon Tester to
James Bladel
Question 1. Many members of the panel mentioned the United States
needs to step up our level of engagement and join other like-minded
countries. In your opinion, which countries closest align with our
values on Internet freedom, privacy, and Internet of Things?
Answer. In terms of free expression and encouraging innovation and
free online markets, I consider our historical allies in Internet
Governance to be most closely aligned with the values of the US. This
includes: Europe/UK, Canada, Australia, New Zealand, and to some
extent: Japan, South Korea, and Mexico.
With regard to online privacy, my opinion is that the EU is
leading this issue globally, other countries are following
suit, and the U.S. is increasingly being viewed as an outlier.
I don't have an informed opinion on the governance landscape
as it pertains to the Internet of Things (IoT).
Question 2. What forum (e.g., the United Nations, NATO, etc.) do
you recommend for facilitating an international discussion on rules and
definitions?
Answer. In the private sector, we favor multi-stakeholder
organizations (like ICANN) as an international forum for establishing
rules and policies.
We do not find the United Nations, especially the ITU, as a helpful
forum for these topics. An exception would be the Internet Governance
Forum (IGF), which is sponsored by the UN.
Question 3. Before the United States can lead the charge
international, we must unify our own ``rules of the road.'' Does such a
forum currently exist, to your knowledge? How has private industry in
the U.S. tried to tackle how we define the rules of the road when it
comes to Internet security and governance? Which U.S. governmental
agency would you recommend take the lead and represent the United
States in international discussions?
Answer. Many of the rules and policies that govern our industry are
developed within ICANN, but issues like privacy, competition, and
cybersecurity are outside of ICANN's remit. For this reason, I'm
inclined to believe that a forum for these issues does not currently
exist.
The private sector has largely self-organized to address online
problems, and has had some success via numerous coalitions, alliances,
etc. These groups allow large firms to gather and share ideas, data,
best practices, and then disseminate these throughout the industry.
The U.S. interests are best represented by the Department of
Commerce (NTIA), and in some fora by the State Department.
Cybersecurity and online organized crime issues are more
appropriately addressed by law enforcement (FBI/DOJ) and/or Defense.
______
Response to Written Question Submitted by Hon. Roger F. Wicker to
Roslyn Layton, Ph.D.
Question. Dr. Layton, it seems that the stated intention and scope
of the recent EU General Data Protection Regulation (GDPR) is far
different from the impacts of its implementation. Can you comment on
how the GDPR has been implemented as it relates to access to WHOIS
data, which is critical to the security and safety of the open Internet
itself?
Answer. The July 31st hearing established that the stated intention
and scope of the GDPR is far different from its implementation. To
begin, Americans have different conceptions of privacy and data
protection compared to Europeans. Moreover, the process to make the
respective regimes, move in the opposite directions. Americans may have
a starting point of privacy, a deductive process from which data
protection policy and regulation flows. The Europeans on the other
hand, are inductive. They build a series of data protection
regulations, and that resulting corpus is what is referred to as
privacy. The GDPR itself only mentions ``privacy'' in three instances,
and it is more correctly understood as a model of data governance,
rather than privacy.
Moreover, the GDPR has many unintended consequences, one of which
is the undermining of the transparency of the WHOIS query and response
protocol as it needed by law enforcement, cybersecurity professionals
and researchers, and trademark and intellectual property rights
holders.\1\ The problem is best described as the conflict between the
right to be informed and the right to be forgotten.\2\ It can also be
understood within the context of the problem of ``privacy overreach,''
\3\ in which the drive to protect privacy becomes absolute, lacks
balance with other rights, and unwittingly brings worse outcomes for
privacy and data protection.\4\ The situation harkens back to a key
fallacy of so-called privacy activists who attempted to block the
rollout of caller ID because it violated the privacy rights of
intrusive callers. Today we agree that the receivers right to know who
is calling is prioritized over the caller.\5\ Similarly we can
understand that the needs of public safety will supersede data
protection, particularly in situations of danger to human life.
Moreover, we should at least expect intellectual property to be in
balance with data protection, not in the conflict we find it today with
the GDPR.
---------------------------------------------------------------------------
\1\ Shane Tews. ''How European data protection law is upending the
Domain Name System.'' American Enterprise Institute. February 26, 2018.
https://www.aei.org/publication/how-european-data-protection-law-is-
upending-the-domain-name-system/
\2\ Shane Tews, ``Privacy and Europe's data protection law:
Problems and implications for the US''. AEI.org May 8, 2018. http://
www.aei.org/publication/privacy-and-europes-data-protection-law-
problems-and-implications-for-the-us/
\3\ See Justin ``Gus'' Hurwitz and Jamil N. Jaffer, ``Modern
Privacy Advocacy: An Approach at War with Privacy Itself?, Regulatory
Transparency Project of the Federalist Society,'' June 12, 2018,
https://regproject.org/paper/modern-privacy-advocacy-approach-war-
privacy/.
\4\ See Maja Brkan, The Unstoppable Expansion of the EU Fundamental
Right to Data Protection, Maastricht Journal of European and
Comparative Law 23, no. 5 (2016): 23, http://journals.sagepub.com/doi/
abs/10.1177/1023263X1602300505?journalCode=maaa.
\5\ Supra Hurwtiz
---------------------------------------------------------------------------
While the goal of the GDPR may have been data protection, an
overbroad application by registrars and registry operators is
threatening to jeopardize the safety of Internet users and the security
of the Internet generally, both within the EU and beyond its borders.
From its launch, WHOIS was designed to enable people to identify whom
they are dealing with on the other side of a website. This not only
promotes the trust necessary to facilitate online commerce, but is also
critical for public safety, consumer protection, law enforcement,
dispute resolution, and enforcement of rights.
The Internet Corporation for Assigned Names and Numbers, however,
announced a Temporary Specification recently that allows registries and
registrars to obscure WHOIS information they were previously required
to make public, ostensibly in order to comply with the GDPR.\6\ This
will hinder efforts to combat unlawful activity online, including
identity theft, cyber-attacks, online-espionage, theft of intellectual
property, fraud, unlawful sale of drugs, human trafficking, and other
criminal behavior, and is not even required by the GDPR, as the U.S.
Departments of Commerce and Homeland Security, the National
Telecommunications and Information Administration, and ICANN's own
Governmental Advisory Committee of more than 170 member countries and
economies have all observed.\7\
---------------------------------------------------------------------------
\6\ ICANN, Temporary Specification for gTLD Registration Data
(adopted May 17, 2018), https://www.icann.org/resources/pages/gtld-
registration-data-specs-en.
\7\ See U.S. Dept. of Commerce and U.S. Dept. of Homeland Security,
A Report to the President on Enhancing the Resilience of the Internet
and Communications Ecosystem Against Botnets and Other Automated,
Distributed Threats 23, 24 (May 2018), https://www.commerce.gov/sites/
commerce.gov/files/media/files/2018/eo_13800_botnet_report_-
_finalv2.pdf; Remarks of David J. Redl, Assistant Secretary of Commerce
for Communications and Information, ICANN 61 (March 12, 2018), https://
www.ntia.doc.gov/speechtestimony/2018/remarks-assistant-secretary-redl-
icann-61; ICANN, Governmental Advisory Committee, Communique--San Juan,
Puerto Rico (March 15, 2018), https://gac.icann.org/advice/communiques/
20180315_icann61%20gac%20communique_finall.pdf.
---------------------------------------------------------------------------
Notably the GDPR does not apply at all to non-personal information
and states that disclosure of even personal information can be
warranted for matters such as consumer protection, public safety, law
enforcement, enforcement of rights, cybersecurity, and combating fraud.
Moreover, the GDPR does not apply to domain names registered to U.S.
registrants by American registrars and registries. Nor does it apply to
domain name registrants that are companies, businesses, or other legal
entities, rather than ``natural persons.''
To protect American citizens, Congress therefore might consider
urging--both through its own diplomatic channels and in its work with
the White House and Federal agencies--that European policymakers
clarify that the GDPR does not prevent access to WHOIS data for law
enforcement, consumer protection, and rights enforcement. Congress
might also indicate to domain name registries and registrars that it
expects them to continue making WHOIS data publicly available to both
law enforcement and private entities for purposes of protecting U.S.
consumers and rightsholders. Federal legislation requiring such
disclosure also should be considered to ensure that the European
directive does not inappropriately interfere with U.S. prerogatives to
set U.S. policy and protect its citizens.
Congress should take note of some key actors driving the GDPR whio
are now in key political positions in the EU. Notably the coming
conflict between the GDPR and WHOIS was described highlighted in a 2017
academic article by law and computer science researchers at the
University of Vienna.\8\ Austria has been ground zero for GDPR
activism. The current head of the EU Data Protection Supervisor (EDPS),
Andrea Jelinek, was formerly the chief of the Austrian Data Protection
Authority which worked closely with Austrian privacy activist Max
Schrems. Schrems founded the Vienna-based non-profit None of Your
Business (NOYB) to professionalize GDPR litigation and has lodged GDPR
complaints against Google and Facebook, requesting some $8.8 billion in
damages on the day the GDPR came into effect.\9\ Jelinek has
incorporated NOYB parlance into EDPS activities and policy
arguments.\10\ In her role in the Article 29 Working Party, the group
that drove the promulgation of the GDPR, Ms. Jelinek noted that the
elimination and masking of WHOIS information is justified under the
nebulous, overbroad, and invented conceptions of the GDPR.\11\ It is
understandable that is group of GDPR supporters are willing to torpedo
internationally accepted norms and conventions in order to legitimize
the GDPR.
---------------------------------------------------------------------------
\8\ Erich Schweighofer, Vinzenz Heussler, and Walter Hotzendorfer.
``Implementation Issues and Obstacles from a Legal Perspective.''
Collaborative Cyber Threat Intelligence: Detecting and Responding to
Advanced Cyber Attacks at the National Level. Editor Florian Skopnik.
Taylor & Francis, 2017. https://www.taylorfrancis.com/books/e/
9781315397894
\9\ https://noyb.eu/wp-content/uploads/2018/05/
pa_forcedconsent_en.pdf
\10\ See the discussion of ``forced consent'', a term defined by
NOYB which has been co-opted by the EDPS.
\11\ https://www.icann.org/en/system/files/correspondence/jelinek-
to-marby-11apr18-en.pdf
---------------------------------------------------------------------------
My testimony underscores that the GDPR violates many U.S. laws and
norms and is likely illegal under international law and should be
challenged by U.S. policymakers.
______
Response to Written Question Submitted by Hon. Roy Blunt to
Roslyn Layton, Ph.D.
Question. As you know, liability protections for online platforms
were instituted, in part, so that they could filter harmful and illicit
content without the threat of civil litigation. In recent years,
however, digital piracy and other illegal digital transactions have
been on the rise, and most of the activities to counter it have been
retrospective. In your testimony, you state that technology and
business models are improving in a way that could better detect
pirated, unlicensed content, yet tech companies do not appear to be
effectively vetting and filtering content on a proactive basis--even
that which is clearly illegal. In 2017, there were an estimated 22.9
billion visits to streaming piracy sites worldwide across both desktops
and mobile devices, a 39 percent increase over the comparable figure
for 2016. Considering the rise of illegal traffic over online
platforms:
Do you believe that technology companies are doing enough to
curb the spread of illicit material online?
Do you believe that the liability protections for technology
companies as currently enacted are accomplishing their intended
goal?
Answer. The presumption some 20 years ago behind section 230 of the
Communications Act and Section 512 of the Copyright Act was that with
liability protections, online platforms would take proactive steps to
combat illegal activity over their services. Moreover, those
protections were only meant to accrue to entities that were not
profiting from illegal activity. Unfortunately, many platforms are
primarily taking steps after-the-fact (if at all), once harm as already
occurred, rather than proactively curbing abuse of their systems.
Moreover, because many platforms' business models are rooted in
advertising or the commercialization of data related to Internet users'
online behavior, some platforms generate revenue from illicit online
behavior. Clearly this was not the intent of the liability shields, and
many online platforms can and should be doing more.
______
Response to Written Questions Submitted by Hon. Catherine Cortez Masto
to Roslyn Layton, Ph.D.
Question 1. Countries and increasingly imposing data localization
requirements, which require companies that collect personal data to
store it on servers within the geographic boundaries of the country, as
a requirement for companies to do business there.
Are there logistically feasible ways for American entities to
process data internationally with the data localization polices that
were discussed at the hearing?
Answer. Not every U.S. company is similarly situated. While some
firms may be able to afford the data localization requirements, this
does not mean that the requirements improve the quality or efficiency
of business. While countries claim to benefit by data localization
(e.g., local economic development), these efforts are at best prestige
projects designed to make a symbolic show of local participation in the
Internet economy. At worst, many of these requirements are merely
fronts for increased surveillance by the foreign government and even
theft of intellectual property. Make no mistake: the goal of this
policy is to exert increasing control of the digital economic model
over the data stored and transferred in the center. There are benefits
especially in totalitarian states to apply this policy that will be
offset against cost of social policing or economic measures (e.g.,
direct taxation based on data localization). Remember that the Internet
and access to information is directly linked to better economic
opportunities, education, and political options, so it is very
sensitive for some governments.
Please note that the free flow of information is the #1 declaration
of the Organization for Economic Cooperation and Development's digital
policy recommendations.\1\ Please see the many helpful discussions on
this topic submitted to NTIA comments on International Internet
Priorities.\2\
---------------------------------------------------------------------------
\1\ http://www.oecd.org/sti/ieconomy/Digital-Economy-Ministerial-
Declaration-2016.pdf
\2\ https://www.ntia.doc.gov/federal-register-notice/2018/comments-
international-internet-policy-priorities
---------------------------------------------------------------------------
To shed further light on this topic, I attach documents prepared by
the Chamber of Commerce, which to my knowledge, offers the most
comprehensive review of the topic and is a credible and authentic voice
for American enterprise.\3\ Please note that I have no financial
relationship with the Chamber nor does my attachment of these materials
constitute an endorsement of any policy.
---------------------------------------------------------------------------
\3\ Forced Localization: Myths and Facts; Submission to ITC April
2018; Letter to Indonesian government; Letter to Indian government May
2018. See the collected reports for Brazil, EU, Indonesia, Japan, South
Korea, Nigeria, Turkey, Vietnam under the webpage ``Globally Connected,
Locally Delivered: The Economic Impact of Cross-Border ICT Services.''
https://www.uschamber.com/report/globally-connected-locally-delivered-
the-economic-impact-cross-border-ict-services.
---------------------------------------------------------------------------
While U.S. policymakers should reject forced data localization, it
is important to understand the motivations for why countries pursue
such measures and what overall changes and adjustments that U.S.
policymakers implement to preclude data localization in future. There
is a sense in many, but not all, countries that American services,
applications, content, and devices dominate the digital economy and
that local competitors cannot get a foothold. Data localization can be
a symbolic response to address what is locally seen as an economic and
digital imbalance and an attempt to compensate for lost local revenue
and taxation.
While the construction of data centers contribute little to local
digital economies, they do have a marginal impact in employment in
traditional sectors (e.g., construction, sanitation, etc) and some
ongoing services for food, transportation etc. However, the centers are
design to be self-sufficient in terms of energy or emergency services
such as fire services hence the companies setting them up are
increasingly to be rewarded for installing those data centers
offsetting the initial and temporal creation of non-technical jobs with
the long-term life of the center and environmental costs. Notably local
governments may leverage their relationships with Silicon Valley
companies for such arrangements.
This problem has also been exacerbated by so-called net neutrality
legislation (some 50 countries) which generally preclude the ability to
local Internet service providers to participate in efficient two-sided
market arrangements with companies such as Google and Netflix, reducing
the ability to invest in broadband infrastructure. Moreover, the lost
transit revenue and other imbalances reduces the total revenue in the
local economy which can be taxed and thus remunerated to the local
country government.
From the point of view of firms such as Google and Netflix, it is
rational that they desire to minimize their costs. However, the policy
creates a loss of consumer welfare in that the cost of transit is
passed on to all consumers, which increases the price of broadband
across the board, falling hardest of people of lower income. The policy
also prohibits the participation of third-party advertisers and firms
to subsidize the cost of broadband, firms which incidentally are
frequently American. This is extremely damaging for the truly poor who
cannot afford Internet access.\4\ While years of net neutrality have
helped cement the market power of Google and Netflix, they policy has
not helped foreign countries create local content and services as was
promised.\5\ It should not be surprising then that countries wish to
compensate for the imbalance, however in a sub-optimal and ineffective
way, whether by antitrust, taxation or forced localization. Had U.S.
Internet firms pursued transparent and efficient two-sided market
arrangements from the start, it is possible that the current situation
of forced localization would be significantly less.
---------------------------------------------------------------------------
\4\ https://www.forbes.com/sites/roslynlayton/2018/07/13/why-does-
california-want-to-adopt-indias-failed-internet-regulation/
#77feeaf3541a
\5\ http://www.aei.org/publication/does-net-neutrality-spur-
internet-innovation/
---------------------------------------------------------------------------
There are other ways countries could achieve consumer and
innovation protections without resorting to heavy-handed,
anticompetitive policies. Indeed, the evidence shows that countries
which have pursued ``soft'' methods for net neutrality such as multi-
stakeholder models and codes of conduct have had more successful to
produce their own Internet innovation. These countries include Japan,
South Korea, Switzerland, and the Nordic countries prior to 2015.\6\
---------------------------------------------------------------------------
\6\ http://www.aei.org/publication/beyond-net-neutrality-policies-
for-leadership-in-the-information-computing-and-network-industries/
---------------------------------------------------------------------------
There is an additional perspective from the experience from gaming
platforms. These platforms provide the same service to different users
based on their location. In countries were gambling or the trading of
virtual currencies is regulated, the gaming users cannot access those
services. Countries can use this argument to require localization,
particularly for government to gain easy access for regulated
industries (e.g., Indonesia and Turkey).
Some countries employ policy arguments in favor of forced
localization based upon distrust from the U.S. following the Edward
Snowden revelations. They see the U.S. as having a double-standard in
which the U.S. Government and firms have access to user data but want
to preclude other countries from doing the same. Naturally there are
good why the U.S. Government and firms would protect user data from
other countries, but nevertheless there is a ``feeling'' that the U.S.
is hypocritical. More broadly this speaks to need to rebuild trust with
other countries, which according to Pew has been on the decline with
some countries for years.
It is possible that some technical substitutes for forced data
localization could evolve in future, notably blockchain with its
ledger.\7\
---------------------------------------------------------------------------
\7\ https://www.amazon.com/dp/B072NYKG2G/ref=dp-kindle-
redirect?_encoding=UTF8&
btkr=1
Question 2. How does this impact academia or the private sector?
Answer. These requirements impose a cost which falls harder on
academic, non-profit, and smaller enterprises because they tend to have
smaller IT budgets and have limited IT staff to implement such
requirements. For these reasons, smaller institutions are more
vulnerable to retribution by foreign governments, particularly if
foreign governments perceive these institutions engaging in politically
sensitive or competitive activity (e.g., a university may have valuable
intellectual property and data localization could be an illicit means
to access that IP; religious organizations are growing in popularity in
China, and data localization can be a means to increase surveillance of
fundraising practices etc.\8\).
---------------------------------------------------------------------------
\8\ https://www.theatlantic.com/international/archive/2017/04/
china-unregistered-churches-driving-religious-revolution/521544/
Question 3. With the various data localization laws taking effect,
can you discuss whether those typically explicitly forbid data transfer
over national borders or would they allow a country, Germany for
example, to host data on German made servers in a neighboring country?
Answer. It appears that there are a variety of conflicting trends
with some countries forbidding transfer while other countries allowing
hosting with preferred national vendors. We can even see conflicting
policies within the same country. It is costly and inefficient to have
such contradictory approaches. For a comprehensive review of the
requirements, please see the documentation by the U.S. Chamber of
Commerce.\9\ See also the helpful report by ITIF.\10\
---------------------------------------------------------------------------
\9\ https://www.ntia.doc.gov/files/ntia/publications/
180717_comments_uscc_ntia_international
internetpolicypriorities.pdf
\10\ https://itif.org/publications/2017/05/01/cross-border-data-
flows-where-are-barriers-and-what-do-they-cost
Question 4. Additionally, if a U.S. company, for example, was
expected to store data on a data center in a country like China, would
it be mandated to use Chinese materials or technology in the
construction of the data center? Please answer generally with respect
to the multitude of data localization laws.
Answer. Please see the study the American Chamber of Commerce in
China.\11\ Indeed China may take a majority stake in the data center
ownership and operation so as to preclude any firm's complaint about
the cost of forced data localization.
---------------------------------------------------------------------------
\11\ https://www.amchamchina.org/policy-advocacy/policy-spotlight/
data-localization
Question 5. The EU-U.S. Privacy Shield is a program that allows
companies to transfer personal data to the United States from the
European Union (EU) in a way that is consistent with EU law. However,
the European Parliament passed a non-binding resolution in July
claiming the United States was not complying with European law and
called on the European Commission to suspend Privacy Shield by
September 1 ``unless the U.S. is fully compliant.''
What would the impact to U.S. businesses be if the EU Commission
suspends Privacy Shield?
Answer. The short answer is that a suspension of the agreement
would be very disruptive for business. Moreover, it would signal a
political breakdown in that the EU does not wish to be reasonable or to
engage in good faith negotiation.
It is important to note that no regulator or enterprise, whether
American or European, expressed that the 15-year-old Safe Harbor
agreement from 2000 was inadequate. However, the Safe Harbor agreement
was invalidated by a of lawsuit brought by activist Max Schrems in the
European Court of Justice in 2015.\12\
---------------------------------------------------------------------------
\12\ https://www.wsj.com/articles/europes-protectionist-privacy-
advocates-1457566423
---------------------------------------------------------------------------
At its height, the Safe Harbor facilitated $250 billion annually in
data transfer, including the salaries of millions of European workers
employed by American companies. The Obama Administration, Department of
Commerce, and other U.S. officials quickly and valiantly salvaged the
agreement into the new Privacy Shield framework. The European
Commission certified that the agreement was satisfactory and adequate
in its first annual report of the new framework,\13\ but now, certain
political factions (notably Max Schrems and the European Green Party)
want to take the Privacy Shield hostage in a self-serving, geopolitical
effort. They want to nitpick about the U.S. not having appointed an
official ``ombudsman'' for the Privacy Shield and claim that this
closes off ability for Europeans to seek redress of violation. However,
Europeans already have multiple means to pursue redress in the USA
(courts, FTC, Dept of Commerce etc.), even more than Americans have
should they wish to pursue redress in the EU. Moreover, the current
acting U.S. Under Secretary of State for Economic Growth, Energy, and
the Environment has been performing the de facto role of the ombudsman
even though it does not have the same title. The position was earlier
held by Catherine Novelli.
---------------------------------------------------------------------------
\13\ https://ec.europa.eu/transparency/regdoc/rep/1/2017/EN/COM-
2017-611-F1-EN-MAIN-PART-1.PDF
---------------------------------------------------------------------------
By way of background, the European Green Party has succeeded in
their key political goal to decommission the nuclear power industry in
Germany. Now they need to a new ``enemy'' and have thus defined it as
Silicon Valley. The Green Party lost seats in the last EU Parliamentary
election (2014). As a result, they ratcheted up the rhetoric against
Silicon Valley, including the drive to promulgate the General Data
Protection Regulation (GDPR). Note that the GDPR is an effort driven
more by geopolitics than consumer protection.\14\
---------------------------------------------------------------------------
\14\ http://www.aei.org/publication/privacy-regulation-insanity-
making-the-same-rules-and-expecting-a-different-outcome/
---------------------------------------------------------------------------
Vera Jourova, the European Commissioner for Justice, Consumers and
Gender Equality, has communicated to the U.S. on the Privacy Shield,
but this likely reflects pressure she gets from Max Schrems and the
Greens, rather than her authentic view. Jourova is part of the ANO 2011
political party whose leader Andrej Babis became Prime Minister of the
Czech Republic in December 2017. Babis is described as the ``Trump'' of
the Czech Republic. The second richest person in the country, he tapped
into the perceived conflict between the ``coffeehouse elite of Prague''
versus the country dwellers (similar to the dichotomy of U.S. coasts
vs. ``flyover country''). While Jourova is trying to help create
political wins for EU President Jean Claude Juncker, it is likely she
is attuned to the populist and nationalist fervor that is sweeping the
EU presently, in which many Europeans are skeptical of Brussels and
increasingly want to disengage from the EU.
Similarly situated is EU Commissioner for Competition Margrethe
Vestager who also comes from a center-right party and is seen as heir-
apparent to EC President Jean Claude Juncker. For these politicians,
the goal is to demonstrate that the European project still has value.
In that way, the center right can create coalitions with left, anti-
corporate parties such as the Greens to channel nationalist fervor into
fighting the invented enemy of American big tech, and thereby
demonstrating the EU is still good for something.
______
Dear Minister Rudiantara, Chairman Wimboh and Governor Agus,
We are writing you today as we understand that your ministries/
agencies are working with approximately 30 other government agencies to
review Government Regulation 82 of 2012 (GR82). We commend these
efforts and look forward to engaging with your government during the
upcoming public consultation process on this regulation. We are also
encouraged that the U.S.-Indonesia Trade and Investment Framework
Agreement (TIFA) discussions held in Washington earlier this month
identified the data localization requirement of GR82 as one of the
priority issues in the bilateral commercial relationship. It is our
hope that the issue can be resolved in a manner that is consistent with
global norms and promotes investment and innovation.
We believe that the requirement to locate data centers and disaster
recovery centers in Indonesia, Article 17.2 of GR82, and repeated in
POJK No. 69 of 2016, POJK No. 38 of 2016, MCIT No. 20 of 2016, MCIT
Circular Letter No. 3/2016, Circular 17/52/DKSP, PBI 18/40/2016, PBI
19/8/2017, and draft regulations on e-commerce and over-the-top
services (OTT)--is not in Indonesia's best interests, and therefore we
strongly advise that it be removed.
Digital technologies are essential drivers of economic growth in
Indonesia, and have the potential to contribute as much as $150 billion
to the economy by 2025,\1\ if the Indonesian government creates a
supportive and conducive regulatory environment. Requiring data centers
and disaster recovery centers to be placed in Indonesia would interrupt
data flows, thereby severely limiting Indonesia's economic development.
---------------------------------------------------------------------------
\1\ http://www.mckinsey.com/�/media/McKinsey%20Offices/Indonesia/
PDFs/Unlocking-Indonesias-digital-opportunity.ashx
---------------------------------------------------------------------------
Based on our discussions with various Indonesian stakeholders and
further supported by research such as the recent report by the
Information Technology and Innovation Foundation,\2\ we believe the
cost of data localization outweighs any perceived benefits. For
example, the data localization requirement would:
---------------------------------------------------------------------------
\2\ https://itif.org/publications/2017/05/01/cross-border-data-
flows-where-are-barriers-and-what-do-they-cost
Restrict Indonesian businesses' and consumers' access to
digital and e-commerce networks, causing fewer opportunities,
less choice, less service and significantly higher cost and
hampering efforts to develop Indonesia into Southeast Asia's
---------------------------------------------------------------------------
biggest digital economy by 2020.
Increase cyber security risks by creating multiple entry
points in global platforms.
Limit Indonesian businesses' and consumers' access to online
resources and innovative services.
Undermine the competitiveness of leading Indonesian and
global businesses by imposing limits on the ability to utilize
big data.
Raise costs significantly--for example, Brazil's proposed
data localization policies would have increased prices by 54
percent for cloud-computing services.\3\
---------------------------------------------------------------------------
\3\ http://www.leviathansecurity.com/blog/quantifying-the-cost-of-
forced-localization
Encourage others to retaliate leading to the fragmentation
of the Internet and greatly limiting Indonesian startups from
---------------------------------------------------------------------------
expanding regionally and globally.
Lead to lost trade and investment opportunities and reduced
competitiveness. Studies clearly show that data localization
requirements are a deterrent to investment. A 2016 report by
Fifth Era shows that 67 percent of investors surveyed are
uncomfortable investing in Internet businesses that are legally
obligated to store user data on servers located in the same
country where users are located and/or build their own data
centers locally in each country of operations. This concern is
most prevalent in countries that have discussed data
localization, namely India (81 percent) and Indonesia (82
percent).\4\
---------------------------------------------------------------------------
\4\ http://static1.squarespace.com/static/5481bc79e4b01c4bf3ceed80/
t/56f192c240261d47035
66506/1458672343753/201603+Fifth+Er+Report+-
+The+Impact+of+Internet+Regulation+on+
Investment.pdf
According to the European Center for International Political
Economy, if data localization requirements are implemented across all
sectors of the economy, Indonesia will lose 0.7 percent of GDP, see a
2.3 percent reduction in domestic investment, suffer a 1.7 percent
decrease in exports, and experience consumer welfare losses of USD 3.7
billion through higher prices and displaced domestic demand.\5\
---------------------------------------------------------------------------
\5\ http://www.ecipe.org/app/uploads/2014/12/OCC32014_1.pdf
---------------------------------------------------------------------------
Furthermore, data localization requirements and similar mandates
are contrary to global norms, as seen in the APEC Leaders Statement
adopting the APEC Cross Border Privacy Principles,\6\ the OECD
Guidelines on the Protection of Privacy and Transborder Flows of
Personal Data \7\ and the Trans-Pacific Partnership (TPP) Agreement.\8\
---------------------------------------------------------------------------
\6\ http://www.apec.org/Meeting-Papers/Leaders-Declarations/2011/
2011_aelm
\7\ http://www.oecd.org/sti/ieconomy/
oecdguidelinesontheprotectionofprivacyandtransborder
flowsofpersonaldata.htm
\8\ https://www.usasean.org/system/files/downloads/
joint_summary_of_tpp.pdf
---------------------------------------------------------------------------
By removing these barriers and taking a more liberalized approach,
Indonesia will facilitate increased job creation and economic growth. A
recent study by the U.S. Chamber of Commerce demonstrates that a more
open, competitive marketplace for data flows would create 1.74 million
Indonesian jobs, USD 1.42 billion in government revenue, USD 6.48
billion in new investments, and a USD 29.38 billion contribution to
GDP.\9\
---------------------------------------------------------------------------
\9\ https://www.uschamber.com/sites/default/files/
022925_ict_reportflyer_indonesia2.pdf
---------------------------------------------------------------------------
We recognize the Indonesian government's interest in maintaining
reliable access to company and financial data for legitimate
regulatory, audit, and investigative purposes. The U.S. private sector
is willing to continue to engage constructively in finding a solution
that meets the government's needs as well as those of businesses and
consumers. Furthermore, governments around the world are already
developing data sharing systems that would allow regulators to access
data held in other countries, like the International Association of
Insurance Supervisors (IAIS)'s multilateral memorandum of understanding
(MMoU). Sixty-one insurance supervisors, including those of Singapore,
Malaysia, Hong Kong, Australia and India currently utilize this network
to share information. Restrictions on cross-border data transfers could
prevent regulators and auditors in other countries from accessing
information about businesses operating in Indonesia, undermining
regulatory cooperation and creating compliance challenges for
multinational companies.
Thank you for your attention and for considering this input. The
U.S. private sector stands ready to serve as a resource in the
continued discussions around GR82.
Sincerely,
Lin Neumann,
Managing Director,
AmCham Indonesia.
Jeff Paine,
Managing Director,
Asia Internet Coalition.
Jared Ragland,
Senior Director, Policy--APAC,
BSA | The Software Alliance.
Jonathan Kallmer,
Senior Vice President, Global Policy,
Information Technology Industry Council.
Alexander Feldman,
President and CEO,
US-ASEAN Business Council.
Tami Overby,
Senior Vice President, Asia,
U.S. Chamber of Commerce.
cc: His Excellency Budi Bowoleksono, Ambassador of Indonesia to the
United States
The Honorable Joseph R. Donovan, Jr., United States Ambassador to
Indonesia
______
Data Localization Myths and Facts
MYTH: Requiring local data centers will create jobs.
FACT: Jobs are created by businesses that leverage a global network of
data centers, using the best available technology to increase
efficiency regardless of location. Data centers only create a
limited number of low paying, short-lived jobs.
An open market place that allows data flows enables domestic
industries to focus on the quality of their products and services,
better positing them to compete in global markets rather than spending
time and resources on how to move data across borders. Data centers can
cost hundreds of millions of dollars to build and operate.
The experience to date in both Europe and the United States
indicates that while construction of data centers creates employment
opportunities, they are relatively short-lived. For example, only 50
people are needed to support a $1 billion mega-data center built by
Apple in the small town of Maiden, North Carolina.\1\ Further, data
centers are becoming increasingly automated, requiring less staff to
help run them.
---------------------------------------------------------------------------
\1\ https://www.washingtonpost.com/business/economy/cloud-centers-
bring-high-tech-flash-but-not-many-jobs-to-beaten-down-towns/2011/11/
08/gIQAccTQtN_print.html
---------------------------------------------------------------------------
MYTH: Data localization policies will boost economic growth.
FACT: In the long-run, forced localization policies will negatively
impact GDP and foreign investment.
Visions of years of enormous property tax benefits are outweighed
by the incentives that local governments are required to pay to lure
companies to locate in their jurisdiction and by the need to subsidize
the large amount of electricity required to run a data center.
The European Centre for International Political Economy examined
the overall impact of localization measures in seven countries--Brazil,
China, the European Union, India, Indonesia, Korea, and Vietnam--and
found negative impacts on GDP and foreign investment. They found that
economy-wide data localization laws drain between 0.7 percent and 1.1
percent of GDP from the economy and that any gains are too small to
outweigh losses in terms of welfare and output in the general
economy.\2\
---------------------------------------------------------------------------
\2\ http://www.ecipe.org/app/uploads/2014/12/OCC32014 1.pdf
---------------------------------------------------------------------------
MYTH: Data localization will promote domestic industry.
FACT: Data localization requirements reduce competitiveness by walling
off domestic businesses from the billions of potential
customers outside of the home country's borders.
The isolation created by data localization reduces investment and
access to capital--the ability to assess a potential borrower's
creditworthiness or to spot potentially fraudulent active often depends
on the ability to move data across borders. Data localization polices
require more redundancy, personnel, and costs that could be more
efficiently utilized elsewhere.
MYTH: Data localization will lower costs for domestic business.
FACT: Requirements for local servers could hurt domestic industry by
compelling local businesses to sacrifice efficiency and seek
out more expensive, less reliable services.
Localization requirements may limit the ability of firms to access
logistics and supply chain infrastructure, conduct effective research,
secure appropriate insurance, or readily participate in financial
markets. Moreover, one source indicates that when a data center goes
down, it can cost a company as much as $7,900 per minute. Regions with
inconsistent electric grids frequently experience hours of downtime,
resulting in substantial costs. Economic growth is better served by
companies that are able to leverage the most efficient and reliable
services from around the world.
Local businesses would be required to pay 30-60 percent more for
their computing needs if required to localize than if they could go
outside the country's borders. Further, many countries considering data
localization have no publicly available cloud computing providers,
meaning they would be forced to use non-public cloud computing
resources, or to purchase and maintain their own infrastructure which
would require significant investment.\3\
---------------------------------------------------------------------------
\3\ https://static1.squarespace.com/static/
556340ece4b0869396f21099/t/559dad76e4b0899d97
726a8b/1436396918881/Quantifying+the+Cost+of+Forced+Localization.pdf
---------------------------------------------------------------------------
MYTH: Data localization increases security.
FACT: Data security depends on a plethora of controls, not the physical
localization of a server. Keeping data in limited physical
locations harms the security of that data.
Business often back up data outside the country in which it is
collected to help ensure it remains secure in the event of a natural
disaster, power outage or other such emergency that could take a data
center offline. Business and consumers benefit when those who maintain
data are able to use the best available security measures, regardless
of the physical location of the data they seek to protect. Geographic
neutrality with regard to data storage enables all companies,
particularly small ones, to employ cost-effective information security
solutions. Requiring data to be localized would actually increase the
risk of cyber attacks as the amount of data held increase in limited
locations.
MYTH: Storing data locally ensures individual privacy and protects data
from over-broad law enforcement access abroad.
FACT: Forcing data to be stored locally does not have any incremental
impact on privacy.
The belief is that, if data are required to be kept within a
country, governments will be better able to ensure individual privacy
and prosecute those who violate privacy laws. In reality, the location
of servers has absolutely no effect on privacy, as the local government
would still have legal jurisdiction over companies who own the data,
regardless of where their data are actually stored.\4\
---------------------------------------------------------------------------
\4\ http://www2.itif.org/2013-localization-barriers-to-
trade.pdf?_ga=1.126836941.1580072294.14
83722057
---------------------------------------------------------------------------
In general, firms have reported that data-localization requirements
are expensive, time-consuming, and disruptive, and do not improve data
privacy, which is often the officially stated purpose of this type of
measure.\5\ Only, narrowly tailored and proportionate privacy
requirements allow for better oversight and the protection of
individual privacy.
---------------------------------------------------------------------------
\5\ https://www.usitc.gov/publications/332/pub4485.pdf
---------------------------------------------------------------------------
MYTH: Data localization only impacts Internet companies.
FACT: Data localization impacts the operation of foreign and domestic
companies across all sectors.
Over 90 percent of global companies are using ICT services, such as
cloud computing, in at least part of their operations.\6\ The Internet
opens up new markets and export opportunities for businesses of all
size. Small and medium-sized enterprises that rely heavily on Internet
services have 22 percent greater revenue growth than companies that do
not.
---------------------------------------------------------------------------
\6\ http://assets.rightscale.com/uploads/pdfs/RightScale-2015-
State-of-the-Cloud-Report.pdf.
---------------------------------------------------------------------------
Data localization policies fragment the Internet. These
requirements build artificial walls or checkpoints that stop data from
flowing outside national boundaries, making it more difficult and
expensive to operate beyond borders. This is especially the case for
businesses that do not have the resources to deal with burdensome
restrictions in every country in which they may have customers.
MYTH: Data localization centers are cost-effective and lower trade
deficits.
FACT: Typically the equipment necessary to for a data center needs to
be imported into a country, driving up the trade deficit.
Further, data center costs are on the rise due to the increased
power capacity necessary.
Data centers require varying kinds of equipment in order to
operate. The first is IT equipment, which includes servers, storage
unites, and network equipment. This is expensive hardware that is
usually specialized for the type of data it will store. This equipment
typically has to be shipped into the country, and is not just a one-
time cost. In order to stay up-to-date, hardware has to be regularly
modernized. For example, it is recommended that IT servers are renewed
every three years in order to maintain performance and reliability.
The second category of equipment is everything that will help the
data center run, such as electrical systems, mechanical systems,
cooling etc. While these goods are usually sourced locally, they
come1at a high cost. Power costs alone of a data center run around
100,000 USD per megawatt while network connectivity costs run about
250,000 per mile of fiber optic cable connection.
MYTH: Data localization centers guarantee more innovative technologies.
FACT: Not all data centers give access to new and innovative products
and services. And once a center is built, adapting the center
to new technologies requires more equipment and cost. The most
effective way to encourage innovation is through allowing
companies to collect, move, and analyze data across borders.
Not all data centers are the same. Many different types of data
centers and service models exist depending on the data being stored.
Depending on the function one data center may require customized
equipment, higher bandwidth, and/or more security versus another data
center. Therefore, simple requirements to store data locally may not
ensure that the data centers created will focus on innovative
solutions. Further, a data center has limited capacity. Once it is
built it is not easy to change the amount of storage and workload
handle without purchasing and installing more equipment.
Innovation requires data to move so that companies can collect,
transfer, and analyze data. Data centers create an unnecessary barrier
to this movement that can make firms less competitive and innovative.
Instead of putting more resources into improving and creating new
products and services, companies are forced to spend more money on data
storage and compliance activities. This impedes the ability to put more
resources into day-to-day activities as well as innovation. Domestic
companies and start-ups will also find it harder and more expensive to
benefit from the competitive global market that allows the exchange of
research, new technologies, and best practices that can improved
products and services.
______
Statement of the U.S. Chamber of Commerce
ON:
Investigation No. 332-562 Global Digital Trade 2: The Business-to-
Business Market. Key Foreign Trade Restrictions, and U.S.
Competitiveness;
Investigation No. 332-563 Global Digital Trade 3: The Business-to-
Consumer Market, Key Foreign Trade Restrictions
TO: U.S. International Trade Commission (USITC)
BY: U.S. Chamber of Commerce
DATE: April 6, 2018
The U.S. Chamber of Commerce is the world's largest business
federation representing the interests of more than 3 million businesses
of all sizes, sectors, and regions, as well as state and local chambers
and industry associations. The Chamber is dedicated to promoting,
protecting, and defending America's free enterprise system.
More than 96 percent of Chamber member companies have fewer than
100 employees, and many of the Nation's largest companies are also
active members. We are therefore cognizant not only of the challenges
facing smaller businesses, but also those facing the business community
at large.
Besides representing a cross section of the American business
community with respect to the number of employees, major
classifications of American business--e.g., manufacturing, retailing,
services, construction, wholesalers, and finance--are represented. The
Chamber has membership in all 50 states.
The Chamber's international reach is substantial as well. We
believe that global interdependence provides opportunities, not
threats. In addition to the American Chambers of Commerce abroad, an
increasing number of our members engage in the export and import of
both goods and services and have ongoing investment activities. The
Chamber favors strengthened international competitiveness and opposes
artificial U.S. and foreign barriers to international business.
Thank you for this opportunity for the U.S. Chamber of Commerce
(the Chamber) to provide a submission to the U.S. International Trade
Commission's (USITC) Inv. No. 332-562 Global Digital Trade 2: The
Business-to-Business Market, Key Foreign Trade Restrictions, and U.S.
Competitiveness and Inv. No. 332-563 Global Digital Trade 3: The
Business-to-Consumer Market, Key Foreign Trade Restrictions, and U.S.
Competitiveness.
The United States has positioned itself as the leader of the global
digital economy. American companies innovate faster and generally out-
compete foreign firms. The benefits of the digital economy are not
limited to ``technology'' companies but are experienced by companies
across all industries from agriculture to manufacturing. U.S.
businesses of all sizes rely on the Internet to manage their
relationships with customers and supply chains; digital commerce has
spread widely and is even creating completely new industries.
However, U.S. competiveness is threatened by the imposition of
trade barriers that create market access barriers, discriminate against
U.S. firms, and limit the movement of data across borders. In this
submission, the U.S. Chamber would like to highlight five of the top
barriers our companies are facing abroad: (1) data localization (2)
local content requirements (3) standards (4) privacy and cybersecurity
(5) intellectual property. In addition, we have provided an annex that
lists specific barriers per country.
1. Data Localization: Data localization barriers continue to be one
of the most prevalent and impactful barriers to American companies who
are forced to localize their operations. The movement of data through
the global economy is becoming just as important as the ability to move
goods, services, or capital. Further benefits will not be realized if
data does not have the ability to cross borders.
Data localization requirements directly limit the movement of data.
Some common requirements U.S. companies are facing include mandatory
establishment of a data center or physical presence within a
jurisdiction in order to operate as well as restrictions on how data
can be transferred internationally. Data localization creates higher
costs for U.S. companies raise costs for companies and disrupt their
global operations by creating silos of data. In addition, many of the
countries requiring data to be stored locally lack the necessary
infrastructure to ensure ease of doing business and security.
2. Local Content Requirements: Local content requirements require
firms to use domestically manufactured goods or domestically supplied
services in order to operate in an economy. Foreign governments are
increasingly mandating the use of local content in an attempt to boost
the local economy, enhance skills and capabilities, and boost
employment.
Countries are increasingly trying to encourage indigenous
innovation through local content requirements, particularly linking
specific requirements to government procurement contracts and
standards.
3. Standards: As technology continues to evolve, standards must
evolve as well. Voluntary, industry-led, globally recognized standards
will drive secure, flexible, and interoperable solutions that scale
across a global ecosystem. Internationally recognized standards enable
interoperability helping to expand the access business, government, and
consumers have to global markets.
However, many countries continue to set their own onerous local
standards rather than utilizing internationally accepted standards,
assessments, and certifications. Over 80 jurisdictions have created new
ICT-related technical standards, many of which are not consistent with
global standards and norms.
These types of standards create a hodgepodge of sometimes
conflicting and overlapping requirements that disrupt global supply
chains. Others have unnecessary requirements that companies duplicate
testing or approval, even though standards between the United States
and that country are similar. Redundant and unnecessary in-country
testing and certification requirements create a costly burden for
American companies trying to enter or already established in the
market.
4. Privacy and Cyber Security: As the movement of data increases,
data privacy and security have become growing concerns around the
globe. While privacy and security standards are necessary in order to
ensure consumer protection, consumers and businesses also need to be
able to move and access data. However, governments often enact measures
that interfere with these needs without a good regulatory
justification, creating difficulties for companies conducting business
in-country and worldwide. It is important to note that these challenges
are not necessarily traditional ``trade'' type problems where trade
tools are well situated to tackle concerns. More often these issues
require intensive engagement on the part of U.S. regulators engaging in
regulatory cooperation type activities.
While privacy and cybersecurity regimes can create regulatory
challenges that impede digital trade, the motives are not always easily
discernable to label them clear attempts to obfuscate trade
commitments. Many countries have cited privacy and cybersecurity
concerns as the basis for requiring foreign companies to store data
within national borders. U.S. regulators should engage with their
international counterparts to identify their regulatory objectives with
regards to privacy or cyber security in order to determine whether less
trade restrictive solutions can be identified.
5. Intellectual Property: In a rapidly evolving digital age,
adequate protection for digital products and services is critical to
supporting 21st century creativity. As IP-driven creative and
innovative content is increasingly consumed digitally, effective IP
protections must be in place and enforced online. Strong IP protections
provide the legal certainty needed to incentivize investment in the
newest, next-generation technologies and help ensure that these
technologies will be appropriately protected from bad actors and unfair
market practices that discourage future investment. Moreover, strong IP
protections incentivize investment in high-quality content creation
that drives global Internet traffic to legitimate digital platforms.
In particular, companies are increasingly facing requirements to
disclose source code and algorithms as a condition for market access.
This is proprietary information that enables companies to deliver
cutting edge research, products, and services. Further, some countries
that require source code and algorithm disclosure use that information
to prop up their own domestic industry, which in turn erodes the
ability of U.S. companies to compete.
The Chamber has released an annual International IP Index that
illustrates how economies with strong IP systems are more likely to
derive the following benefits:
26 percent more likely to benefit from access to the latest
technologies
Provide up to three times greater access to licensed music
online
Generate nearly three times more theatrical screenings of
feature films
Generate twice as many video-on-demand and streaming
services
Generate almost 3 times more online creative content
62 percent more likely to have larger and more dynamic
content and media sectors
To further underscore our points above, we have compiled a non-
exclusive annex of digital trade barriers that U.S. companies face
across key markets. We appreciate the opportunity to comment and
welcome further opportunities to assist USITC with its investigation of
business-to-business and business-to-consumer digital trade barriers.
Annex: Specific Concerns by Country
Brazil
Data Localization: Brazil has a number of proposed regulations
requiring data localization. In particular, the Marco Civil da Internet
(Law No. 12,965/2014) and recently, the Personal Data Protection Law
Draft Bill. Marco Civil da Internet was enacted in 2014. Described as
``The Constitution of the Internet'', the law is aimed at defending
privacy rights and net neutrality. Although, the provision for data
localization was proposed and debated, it was not included in Marco
Civil da Internet.
Local Content Requirements: Brazilian law includes a number of
local content requirements. The forced localization policies limit the
legitimate content that Brazilian consumers can access, which could
force users to seek out the content on illegitimate sites. The local
content requirements also disrupt the existing supply chain and inhibit
the growth of new technologies.
The Plano Brasil Maior, aimed at boosting the competitiveness of
the domestic industry, has led to the implementation of the Buy
Brazilian Act. In public bidding, a preference margin of 25 percent is
given to goods or services that are produced domestically and comply
with local technical regulations. It promotes goods and services
created by local companies, and companies that invest in research and
development in Brazil. Furthermore, the law allows for ``strategic''
ICT goods and services public procurements to be restricted to local
bidders. Other than the Buy Brazilian Act, Decree 7174 regulates the
procurement of ICT goods and services of the public sector. Government
bodies are to provide preferential treatment to locally produced ICT
goods and services based on a non-transparent price/technology matrix.
While cross-border ICT service vendors are not excluded from public
procurement, protectionist measures such as the Buy Brazilian Act and
Decree 7174 put them at a great disadvantage.
In addition, the Basic Production Process (Article 3 of Law No.
8248 from October 23, 1991) has provisions that offer government
procurement preferences for goods and services that employ technology
developed locally. The Basic Production Process requires the employment
of goods/machines produced locally or technology developed locally.
Within the telecommunications sector, Brazil has barriers to
foreign participation in the telecommunications sector. According to
the Federal Constitution, article 21, XI and Decreet No. 2.617 article
1, in order to receive authorization from Anatel, the National
Telecommunications Agency, a company must be headquartered in Brazil
and have 51 percent of national capital. Indirect participation is
allowed through an intermediary, uncertainty on these provisions
remains around the ability for foreign companies to participate in the
telecommunications sector.
Privacy: Brazil currently has two data protection bills pending, PL
4060/2012 (House bill) and PLS 330/2013 (Senate bill). These bills
mimic the European Union's General Data Protection Regulation (GDPR)
but have even more stringent provisions. The proposed definition of
personal data is expansive and ambiguous, framing almost all general
personal information as personal data.
The draft bills aim to protect the processing of personal data in
order to guarantee the free development of the natural person's
personality and dignity. Bill No. 5276/2016 stipulates a provision
regulating the international transfer of data. This article could
potentially be a barrier for the provision of cross-border ICT
services. It stipulates that cross-border data transfers are only
allowed if the corresponding countries share an equivalent level of
data protection to that of the Brazilian law.
The draft bills do not provide a list of countries whereby
international data transfers are permitted. Sources report that these
bills are heavily modelled on the European Data Protection Directive.
Accordingly, the EU commission has presently recognized the following
countries as providing adequate data protection: Andorra, Argentina,
Canada (commercial organizations), Faeroe Islands, Guernsey, Israel,
Isle of Man, Jersey, New Zealand, Switzerland and Uruguay. As such,
should the Personal Data Protection Law be enacted, Brazilian companies
that have their data stored outside of the countries listed above will
have to repatriate their data and rely on domestic data centers.
Accordingly, the law will limit the breadth of ICT services that would
otherwise be available to local companies.
Digital Piracy: Online piracy remains pervasive in Brazil, greatly
limiting economic and cultural opportunities for Brazilian and American
creative industries alike. Because increased broadband use has
accelerated the expansion of pirated works online, steps must be taken
to develop a legitimate online marketplace which adequately protects
copyrighted works. Of note, in 2017, a new important player has gained
force in the Brazilian piracy ecosystem which further undermines
protection for copyrighted content online: illegal streaming devices,
such as the HTV box, which offers the entire grid of live TV paid
channels, as well as a VOD service with movies and TV shows, illegally
sourced. Furthermore, industry reports that over 50 percent of the
products on the main Brazilian e-commerce platform,
Mercadolivre.com.br, are counterfeit. Brazil's copyright environment
could be significantly strengthened through the creation of an
effective and timely mechanisms to combat online copyright
infringement, most notably expanding the availability of injunctive
relief to prevent access to infringing materials.
Standards: The United States and Brazil are both participants in
CITEL. Brazil should implement the Inter-American Telecommunication
Commission (CITEL) Mutual Recognition Agreement (MRA) with regards to
the United States. This would allow the United States and Brazil to
agree to mutual recognition of conformity assessment bodies and mutual
acceptance of the results of testing and equipment certification
procedures in regards to telecommunications equipment.
Cloud Computing Security Regulation: The Brazil Central Bank's
draft cloud computing security regulation (Public Consultation Notice
57/2017) includes a number of provisions which are concerning to
industry. These include:
Provisions that require data to be stored within Brazil
Onerous company reporting requirements which will
potentially damage companies' ability to implement best in
class security solutions
Prescribing specific security solutions which limit
companies' ability to assess and manage cybersecurity risks to
their business
Mandating broad cyber incident reporting requirements which
will create an administrative burden on companies and
regulators without increasing security
Requiring that companies share sensitive commercial
information without a clear regulatory or investigatory purpose
Creating potentially overlapping cybersecurity regulatory
requirements
The Central Bank has indicated a willingness to engage with
stakeholders. We intend to work with them to remove these concerning
provisions.
China
Digital Piracy: With respect to online piracy, there has been some
progress in recent years in government enforcement against distribution
of infringing content. Chinese enforcement authorities have begun to
crack down on illegal distribution of content, and rights holders have
successfully sued websites engaged in brazen infringement, in some
cases supported by the National Copyright Administration of China
(NCAC). Not surprisingly, the legitimate market has responded
positively to this crackdown on illegal activity. However, China still
lacks effective tools to encourage cooperation of Internet
intermediaries, ensure rapid takedown of infringing content, take
action against repeat infringers, and provide proactive measures to
address piracy. The NCAC national campaign, pushing ahead the third
amendment of the Copyright Law, and the new NCAC guidelines for cloud
services have been good steps in the right direction, but much more
still needs to be done. Increased criminal actions against online
infringers and additional measures against Internet service providers
and online platforms that knowingly host infringing content should be a
priority in the coming year.
There is an additional type of piracy that has become rampant
throughout Asia--illicit streaming devices such as media boxes, set-top
boxes, or other devices that allow users, through the use of piracy
apps, to stream, download, or otherwise access unauthorized content
from the Internet. ISDs are part of a sophisticated and integrated
online ecosystem facilitating access to pirated audiovisual materials.
These devices have emerged as a significant means through which pirated
motion picture and television content is accessed on televisions in
homes in China. China is a hub for the manufacture of these devices.
The devices may be promoted and/or advertised to enable infringement of
copyright or other illegal activities. Chief among these activities
are: (1) enabling users to access unauthorized decrypted motion
pictures or television programming; (2) facilitating easy access,
through apps, to remote online sources of unauthorized entertainment
content including music, music videos, karaoke, motion pictures and
television programming, video games, and published materials; and (3)
pre-loading the devices with infringing apps that provide access to
hundreds of high definition (HD) motion pictures prior to shipment or
allowing vendors to load content upon import and prior to sale, or as
an ``after sale'' service. The Chamber notes that the Beijing
Intellectual Property Court held a set top box manufacturer liable for
streaming unauthorized content under secondary liability theory in
2015. The Chamber is hopeful that China will take a firm stand against
this type of infringing activity and take enforcement efforts to
eradicate the problem, including against exports.
The issue of online journal piracy continues in China and appears
to be worsening. Unauthorized services sell online access to, or copies
of, journal articles without the authorization of--or payment of
compensation to--publishers. These unauthorized services undermine the
investment that international (and Chinese) publishers make in journal
publishing, which helps to deliver high quality journals that are
critical to the advancement of science, technology and medicine within
China and globally. Timely enforcement and effective deterrence is
critically important. China's failure to conclude the investigation of
the case against KJ Med illustrates the remaining enforcement
challenges that allow such an entity to continue its operations.
Publishers also continue to be concerned about ``sharing
services,'' which are open online platforms where users can upload and
share documents. These services, such as Baidu Wenku, Sina, and Docin,
employ ``digital coin'' systems, whereby coins earned through uploading
documents may be used to ``purchase'' English language and Chinese
translations of trade books, textbooks, and journals for download.
These sharing services have ineffective notice and takedown processes
for reporting and addressing infringements. Other online entities sell
login credentials that are used to gain unauthorized access to
proprietary online journal databases.
Data Localization: The Chinese government is exerting greater
control over where commercial data is stored and how it is transferred,
thereby skewing the decision making of foreign companies that must
decide where products are made and innovation takes place.
Data localization requirements have appeared in a wide range of
Chinese policies, making their impact broadly felt across all sectors
of China's economy, including banking, insurance, credit rating,
mapping, healthcare, power generation, and cloud computing. These
policies are restricting the ability of companies to compete in the
China market as multi-national companies.
Below is the primary legal framework and authority for data
localization:
Cybersecurity Law (CSL): Effective June 1, 2017, China's CSL
provides a legal framework and basis for data localization. It sets
forth a potentially expansive scope to store personal information and
important data--both vaguely defined terms--within China's borders.
Article 37 of the law requires all personal information and important
data gathered or generated by critical information infrastructure (CII)
operators to be stored in China. CII operators can transfer
information/data out of China if they have a necessary business
requirement and conduct and pass a security assessment (see section
below on cross-border data flow for details about the security
assessment).
The definition and scope of CII is essential to assessing the data
localization requirement on industry. Article 31 of the CSL gives a
broad definition that is both vague and expansive, and requires the
State Council to formulate a specific CII administrative regulation.
Regulation on the Protection of Critical Information Infrastructure
(CII): Issued for public comment in July 2017, this draft regulation
sets forth significant and stringent regulatory obligations, including
requirements to store important data and personal information locally
and a mandatory review process to move data outside China. Similar to
the CSL, the draft regulation provides a broad and unclear scope for
CII--including everything from telecommunication networks, broadcasting
networks, Internet and other information networks, to organizations
that provide cloud computing, big data, and other information
services--that creates significant uncertainty for businesses.
The Chamber expects China's Technical Committee 260 (TC 260) to
issue guidelines on CII to provide further guidance on CII designation.
The business community urges the Chinese government to define CII
narrowly to only the most sensitive systems, such as the Communist
Party of China, the Central Government, and the People's Liberation
Army but not including state-owned enterprises, local governments, and
healthcare and education institutions. Regrettably, it appears the
reverse may be happening; a recent National People's Congress work
report found over 12,000 CII systems.
Personal data protection/privacy measures: As China develops its
privacy and data protection regime it is critical to engage relevant
stakeholders to ensure interoperability and benefit consumers,
industry, and governments alike. The U.S. business community is
concerned that China has been hesitant to address privacy protection
and enforcement issues through international cooperation. At present,
China is not a member of the APEC cross-border privacy rules system or
the cross-border privacy enforcement arrangement, and its data storage
and security assessments are incompatible existing or emerging
frameworks, including APEC, the General Data Protection Regulation,
Pacific Alliance, and the NAFTA update. Industry is concerned that
China approach to data protection and privacy--which unreasonably
focuses more on where rather than how data is stored in the name of
privacy and cybersecurity--will risk fragmenting the Internet along
national or regional borders.
China has neither an omnibus privacy/data protection law, nor a
single data protection authority responsible for enforcement. Rather,
it regulates and enforces privacy through a number of industry-specific
regulations and agencies. Some Chinese officials are calling for a
stand-alone Privacy Law; however, it is still likely several years
away.
The below list represents a non-exhaustive list of the main laws
and regulations currently governing personal data protection and
privacy.
Cybersecurity Law: China's CSL adopts and modifies existing
regulation on privacy issues and codifies them into law. The CSL
requires user consent for the collection of personal information. Such
requirements apply to network operators rather than being applicable to
data collection generally by all potential data collectors. Network
operators--which is loosely defined and could mean any network--will be
subject to several requirements on collecting and using personal
information, including ensuring the collection and use is legal,
proper, and necessary, removing/correcting errors in personal
information, and informing authorities in the event of a data breach or
likely data breach.
Personal Information Security Specification: In initial drafts of
the Specification, explicit consent was required for the collection and
use of personal information. The final draft, however, removed the term
``explicit'' from consent for certain items. This change may signal a
potential easing on the consent requirement to allow implied consent.
However, because the specification does not expressly state that
implied consent is allowed, it may lead to uneven implementation by
enforcement agencies.
Moreover, because the CSL does not allow the collection of personal
data outside consent, it creates incoherence between law and standard.
Consequently, despite some optimism, uneven and selective enforcement
appears to be the most realistic result.
As China's data and privacy measures are in a state of flux, it is
critical that the U.S. Government continue to monitor ongoing
developments and their impact on industry.
Restrictions on cross-border data flows: In addition to the
policies discussed in the above data localization section, China also
maintains specific regulations and standards aimed at cross-border data
flows:
Security Assessment Measures for Exporting Personal Information and
Important Data: The Measures introduced by Cyberspace Administration of
China (CAC) in April 2017 implement Article 37 of the CSL, outlining
security assessment requirements for companies that export data
overseas. While the CSL only requires a security assessment for CII
operators, the Measures significantly expand the scope of cross-border
data flow restrictions to all network operators, which could
conceivably encompass any company. After significant pushback from
industry, CAC granted a 19-month grace period (which will take effect
December 2018) for businesses to comply with the Measures, but it does
not appear to have addressed industry's substantive concerns.
Guidelines for Cross-Border Data Transfer Security Assessment:
China's TC 260 issued the draft Guidelines for public comment in
October 2017. The latest draft broadens the definition of ``operations
within the territory of China'' to network operators that are not
registered in China but provide products or services inside the
country. It also expands the definition of data exports to data that is
not transferred to or stored outside of China but is accessed and
viewed by overseas individuals or organizations (excluding public
information/websites). Regrettably, these guidelines intensify foreign
companies' concerns about the outlook of China's data regulation.
In combination with China's data localization requirements, the
cross-border data flow restrictions are raising costs and creating an
uneven playing field. Restrictions on cross-border data transfer
advantage domestic companies through easier access to data on one of
the world's two largest national populations as data is regarded as a
national strategic resource.
We welcome the recent U.S. Government filing at the WTO that calls
upon China to refrain from implementing the CSL and various
implementing measures. The U.S. Chamber and our members agree with the
U.S. Government that implementation of these measures would disrupt,
deter, and in many cases, prohibit cross-border transfers of
information that are routine in the ordinary course of business.
Technical Standards
Commercial cryptography/encryption regulations: The Chinese
government is in the process of drafting its first Encryption Law. The
below summary highlights industry's main concerns:
Draft Encryption Law: China's draft Encryption Law takes an overly
broad regulatory approach towards commercial encryption that could have
a large impact on trade in ICT products in China. Key provisions of
concern include strict and intrusive import/export licensing regimes
for commercial products with encryption, requirements to use mandatory
national standards, burdensome testing and certification requirements,
and broad enforcement powers that could require disclosure of sensitive
and confidential business information. Moreover, the Cryptography Law
limits participation by foreign companies to one of the three
categories of encryption and only under strict regulation. Because
encryption is a standard feature of almost all technology products, it
could have significant impact on a wide range of companies.
Market-specific testing and certification requirements: China uses
a number of testing, certification, and standards requirements that not
only restrict companies' ability to access and compete in the market,
but also put valuable IP and proprietary information at risk of theft
or exposure.
Secure and Controllable: ``Secure and controllable'' is one of the
clearest and most concrete examples of discriminatory treatment through
a standard. The basic secure and controllable concept is incorporated
into both the National Security Law and the CSL, giving it a legal
basis.
Although never formally defined, regulations and guidelines using
the term indicate that companies' information communications products
would not be able to qualify as ``secure and controllable'' unless they
surrender key technologies, such as source code and encryption
algorithms, to Chinese authorities. In recent draft standards issued by
the Chinese TC 260 committee on CPUs, operating systems, and office
suites, the ``secure and controllable'' score is linked directly to IP
disclosure (i.e., the more IP an applicant discloses the higher its
score).
The Chinese government has asserted that the secure and
controllable concept was introduced to ensure information technology
products and services used in Chinese networks--ranging from commercial
enterprises to government institutions--were secure. While every
country is justified in protecting its national security, it should not
be used as a pretext to pursue and mask industrial policy. In 2015,
Presidents Obama and Xi agreed not to impose nationality-based
conditions or restrictions on the purchase, sale, or use of ICT
products by commercial enterprises. Since the commitment was made, U.S.
industry has not seen a reversal of the policy. To the contrary, there
has been a proliferation of secure and controllable policies across
industry sectors, which calls into question China's commitment to the
2015 agreement.
Trade-inhibiting security reviews may weaken security, constitute a
technical barrier to trade as defined by the WTO, and put valuable
American IP at risk of inappropriate disclosure. As Chinese companies
ascend the value chain and master more advanced technologies, state-led
security reviews and testing may be used to block foreign companies
from the China market and thereby allow domestic champions to build
economies of scale in a protected market from which they can compete
globally.
With the passage of the CSL and the issuance of draft security
measures and finalized equipment catalogues, these potential concerns
are beginning to take shape. According to the CSL, all CII operators--
which may cover a large swath of commercial industries--buying
communications networking products and services are required to undergo
a security review. The potentially broad scope of this requirement and
the intrusive aspects of review--including the possible required
disclosure of source code, algorithms, and other sensitive IP--may
result in U.S. companies being either marginalized from the market or
forced to disclose valuable information.
The Network Products and Services Security Review Measures: The
pilot measures for security assessments have provisions that aim to
raise the overall level of ``secure and controllable'' content and use
non-security review criteria, such as dominant market position, in the
assessment. These policy measures also include a number of elements
that appear unjustifiably intrusive, including allowing officials to
enter offices and question staff.
Catalogue on Key Network and Specialized Equipment Security
Products: For products falling within the Key Network and Specialized
Equipment Security Products Catalogue, companies are required to
undergo an unspecified government security-examination or obtain a
security certification to be sold in the commercial market. The
Ministry of Public Security and CAC, among other agencies, are
responsible for certifying the testing laboratories. Whether it is
through the security assessment measures or the catalogue's examination
or certification, companies may be required to either meet subjective
criteria or disclose an excessive and burdensome amount of sensitive
information that is unnecessary for its stated objective. Although this
catalogue constitutes a technical regulation as defined in the WTO TBT,
China has not notified the catalogue to the TBT.
Multi-Level Protection Scheme: In addition to the above recently
issued security reviews, industry continues to have concerns about the
Multi-Level Protection Scheme (MLPS). MLPS, first issued in 2007, is a
rating system aimed at promoting indigenous innovation by mandating
certain products used in Chinese information networks be developed and
produced by entities invested by Chinese citizens or controlled by the
State. MLPS imposes significant restrictions on procurement that
unjustifiably restrict foreign companies from accessing the market.
More recently, companies report that the scope of MLPS is
broadening and the requirements are becoming more onerous. MLPS
mandates that a broad spectrum of advanced IP-intensive systems,
including commercial insurance, cloud computing, big data, mobile
Internet of Things, and industrial controls, that go well beyond
national security, contain not only indigenous innovation but
indigenous IP. As a result, companies face a stark choice between
transferring their core IP or losing market access.
Market Access
Administrative Licensing: Misuse of administrative licensing
procedures provides a potential opportunity for a company's market
access to be restricted or trade secrets or proprietary information to
be put at risk of unnecessary disclosure. For U.S. companies operating
in China, administrative licensing (i.e., difficulty or exclusion from
obtaining required licenses) remains a top concern, ranking among the
top five challenges for industry overall, and technology and R&D
industries, in particular. According to the 2017 AmCham China survey,
opaque, unpredictable, and burdensome licensing procedures, at the
central, provincial, and local level, can ultimately amount to market
access barriers.
Telecommunication (BATs and VATs): The telecommunications industry
provides an illustrative example of how licensing is interconnected
with market access and technology transfer. China divides its
telecommunications sector into two categories: basic and value-added
(VAT). Within its VATs category, China takes an expansive view that
encompasses ``computer and related services (CRS),'' such as cloud
computing, that use a telecom network to supply a computer service. By
classifying relatively new technology offerings as VATs, China is
circumventing its WTO market access commitments for CRS based on its
domestic classification system. Per the Guiding Catalogue on Foreign
Investment, both telecommunications categories are subject to joint
venture and equity cap restrictions.
Companies operating in either category are generally required to
obtain an operating license. However, the requirements are often overly
burdensome, and in certain circumstances, only a local entity can
obtain a license. This general inability to obtain a license puts
foreign companies in a highly disadvantageous position. Moreover,
because the Chinese government not only owns and controls all major
operators in the telecommunications industry but also regulates it,
there exists a potential conflict of interest.
To enter the telecommunications market, companies are all but
forced to joint venture with a Chinese company that holds sole
possession of the required license or licenses. As a result, the
discriminatory licensing regime creates an uneven playing field on
which Chinese companies are able to set extractive terms--including
mandating technology transfer--for the joint venture.
Virtual Private Network Regulation: On January 17, 2017 China's
Ministry of Industry and Information Technology issued its Circular on
Cleaning up and Regulating the Internet Access Service Market, which
took effect on March 31, 2018. Industry is concerned that this circular
could be disruptive to foreign-service suppliers and their customers in
China, resulting in new constraints on market access and unnecessary
burdens. The U.S. Chamber of Commerce supports the communication from
the United States at the WTO Council for Trade in Services in February
2018, and encourages the U.S. Government to work in concert with its
trading partners to mitigate the adverse impact of the Circular on the
business community.
The sections below highlight two sector-specific examples in the
electronics payment and cloud computing industry on how China uses its
administrative licensing and regulatory regime to block market access
or force technology transfer:
Electronic Payments: Approximately 10 years after China agreed to
open its market to foreign electronic payment service (EPS) providers
under its WTO accession agreement, and following an adverse ruling at
the WTO in 2012 against China's EPS practices, U.S. EPS providers still
are unable to participate in China's EPS market. Meanwhile, China's
electronic payment service (EPS) suppliers, mobile payment companies,
and bank card issuers dominate the domestic market and are making
significant inroads into global markets, including the United States.
As part of the U.S.-China 100-Day Action Plan, China committed to
``issue any further necessary guidelines and allow wholly U.S.-owned
EPS suppliers to begin the licensing process, which should lead to full
and prompt market access.'' While China complied with its commitment to
issue new guidelines, China has yet to clarify if greenfield
investments by U.S. EPS suppliers are subject to national security
reviews in order to obtain their licenses. Further, there remain
questions surrounding the review process, including which Chinese
governmental and non-governmental entities would be involved, as well
as the sequence and time-frame by which the review will occur.
More recently, the People's Bank of China issued an announcement
that it will require all personal and financial information collected
or generated by foreign payment institutions to be stored, processed,
and analyzed in China. As a result, even if market access is eventually
given to foreign companies, localization requirements will apply to all
their data.
Cloud Computing: While U.S. cloud service providers have been at
the forefront of the movement to the cloud in virtually every country
in the world, China has imposed onerous regulations on foreign cloud
service providers--effectively barring them from operating or competing
fairly in China. Chinese laws and regulations on non-Chinese cloud
service providers force U.S. cloud service providers to transfer
valuable intellectual property, surrender use of their brand names, and
hand over operation and control of their business to a Chinese company
in order to sell in the Chinese market, as well as separate the local
instance of the cloud service from the global instance, creating
interoperability issues.
More specifically, these measures (1) prohibit foreign cloud
service providers from operating cloud services; (2) prohibit direct
equity participation of foreign cloud service providers in Chinese
cloud companies; (3) prohibit foreign cloud service providers from
signing contracts directly with Chinese customers; (4) prohibit foreign
cloud service providers from independently using their brands and logos
to market their services; (5) prohibit foreign cloud service providers
from contracting with Chinese telecommunication carriers for Internet
connectivity; (6) prohibit foreign cloud service providers from
broadcasting IP addresses within China; (7) prohibit foreign cloud
service providers from providing customer support to Chinese customers;
and (8) require any cooperation between foreign cloud service providers
and Chinese companies be disclosed in detail to regulators. These
measures are fundamentally protectionist and anti-competitive.
Intellectual Property Rights
Technology Transfer
Compulsory Licensing: Compulsory licensing is not a new concept
within China's legal and regulatory frameworks. A provision in SAIC's
IP enforcement rule promulgated under the Anti-Monopoly Law (AML) could
be used in some cases to force U.S. companies to license their
essential technologies to Chinese companies. Furthermore, China's
Patent Law includes a provision on compulsory licensing that may, if
applied broadly, impose an unreasonable obligation for patentees to
provide their technology to Chinese competitors.
China is also exploring tying compulsory licensing to state
funding. The State Council issued in July 2017 a Guiding Opinion that
discusses compulsory licensing of patents that are obtained with
funding from the state. This approach raises significant concerns for
companies that would choose to accept public money to conduct R&D in
China, including under industrial plans such as Made in China 2025 and
Strategic Emerging Industries, as they could be forced to license their
IP to the Chinese government. This policy, if implemented, would
undermine innovation and diverge from the spirit of comments made by
Minster Miao Wei that Made in China 2025 would not compel a technology
transfer.
Draft Export Control Law: China's draft Export Control Law--which
includes factors such as economic development and industrial
competitiveness in determining control lists--is creating uncertainty
about whether technology developed by foreign companies in China-based
R&D centers can be exported, thereby creating a non-market restraint on
a companies' ability to commercialize their technology.
Requirement to Disclose: While China is a signatory to the WTO, it
appears that China does not use its commitments in the WTO Agreement on
the Technical Barriers to Trade (WTO TBT) as a basis for its legal and
policy frameworks for standardization. As a result U.S. companies face
a variety of challenges associated with standardization in China,
including not being able to fully participate in standards setting
bodies, domestic standards where international standards already exist,
non-notification of technical regulations to the WTO, and Chinese
standards that either forcibly include or exclude foreign technology.
Draft Standardization Law: Unfortunately, these trends appear to be
worsening. For example, the September 2017 draft of the Standardization
Law expands on a public disclosure requirement that is both unique to
China and potentially damaging to all market participants, and would
add unnecessary costs and risks for all enterprises in China.
Furthermore, a newly added and deeply concerning article in the latest
draft stipulates state endorsement of incorporating indigenously
innovated technology into industry and social standards. Combined with
other implementation documents and public statements that allow social
standards to be transposed to become national and industry standards,
the inclusion by the state of a preference for indigenous innovation
seems to create a trade barrier that would conflict with the WTO TBT.
Colombia
Digital Piracy and IP-related Intermediary Liability: In 2016, the
Colombian government began to review the 1982 Copyright Law, which
would allow Colombia to partially comply with commitments made in the
TPA. Among other elements, the draft includes a number of positive
elements such as extending civil liability to circumvention of TPMs as
well as to production and sales of circumvention devices, and allowing
destruction of circumvention devices and infringing materials. In
addition, the draft expands certain exclusive rights to authors and
phonogram producers. At the same time, the text also seeks to update
copyright exceptions by adding exceptions for library and research use
and for temporary electronic copies not involving commercial gain,
among others. Moreover, it introduces statutory damages for copyright
infringement (although the actual amounts must be decided by decree)
and would increase copyright protection to 70 years for works for hire
as well as for phonograms and broadcasts. However, it falls short of
addressing other key gaps in the online copyright regime, including in
relation to ISP liability and assistance in takedown of infringing
content online. While Colombia's commitments go ignored, levels of
piracy there continue to grow, increasingly online. There is no serious
effort on the part of Colombian law enforcement to prosecute
administrators and owners of websites, blogs, and ``hubs'' involved in
the distribution of illegal files. Copyright protection in Colombia
could be strengthened through the implementation of the FTA provisions
and by further mechanisms to combat online piracy.
European Union
Digital Single Market: Europe's approach to the single-market is
always most successful when it aims to remove trade barriers between
the Member States and not to limit competition in a misguided attempt
to support the single-market. Unfortunately, since announcing the DSM
as a priority, the initial ``win-win'' framing of the exercise has
faded as some European officials have sought to use the DSM to handcuff
the competiveness of U.S. companies. The anti-American approach at
times reflects an intellectually sloppy critique of government
surveillance programs that lumps in unrelated private business
activities; at other times, it betrays a misunderstanding of the best
practices required to build domestic industry. In any event, it is
important that the DSM remain focused on keeping Europe open for
business within Europe and connected to the rest of the global economy.
Data Privacy: The General Data Protection Regulation (GDPR) will go
into effect May 25, 2018. Ambiguity around the implementation of this
agreement remains. Only two EU Members States, Austria and Germany,
have finalized implementing legislation around the GDPR. This
regulation will impede the ability of American companies to access and
utilize European citizen data.
GDPR will come into force in May 2018, and companies are expected
to be in full compliance by then. Yet, guidance from data protection
authorities has been slow to come out, and many U.S. and European
companies still have a number of compliance questions. Consistent
implementation of GDPR across all EU member states represents an
immense regulatory challenge for the EU that has consequences for EU
competitiveness in the digital economy in addition to American firms
doing business there.
Further, the EU-U.S. Privacy Shield has come under scrutiny by the
EU's Article 29 Working Party (WP29), in which it has called for the
U.S. Government to prioritize the appointment of an Ombudsperson and
members of the Privacy and Civil Liberties Oversight Board (PCLOB). It
has called on the U.S. Government to address these concerns by May 25,
2018. The WP29 also outlined a number of other concerns in its November
2017 Opinion on the EU-U.S. Privacy Shield, and calls for these to be
addressed at the second joint review. The WP29 states in this opinion
that if the concerns are not address in in the given time frames, the
members of WP29 will take appropriate action, including bringing the
Privacy Shield Adequacy decision to national courts and the European
Court of Justice.
The Privacy Shield is vitally important for American and European
companies to continue to transfer data across the Atlantic and do
business and sets a high standard for the protection of consumer data.
The EU-U.S. Privacy Shield is successful on many levels:
It facilitates the movement of data cross-border for
American and European businesses, while meeting the rigorous
privacy expectations of American and European consumers.
It triggers a thorough review of company's privacy
practices, resulting in demonstrable changes to how they do
business and protect consumer privacy, in order to certify.
It enhances accountability by establishing a meaningful U.S.
Government and EU Commission process for addressing any
consumer concerns that arise.
It ensures timely and swift action in response to consumer
privacy concerns, though relatively few companies have received
complaints.
It is accessible as more than 2,400 American and European
companies have been certified, half of which are small and
medium sized businesses.
It serves more broadly as a model for regulatory cooperation
demonstrating that it is possible to find solutions that bridge
different regulatory frameworks.
Cyber Security Act: The European Commission's proposed Cyber
Security Act contains provisions for a voluntary ICT certification
framework for connected products and services. While this does create a
consistent framework for companies that provide such products and
services--meaning that they can certify once, while complying Europe-
wide--we remain concerned that this will create a barrier for device
makers to enter the European marketplace because certification is a
costly and burdensome undertaking. In addition, it remains possible
that the final proposal, or future updates to this proposal will
require mandatory compliance with such provisions.
NIS Directive Transposition: While the NIS Directive does not
explicitly call for provisions that would act as a barrier to digital
trade, the flexibility that it affords Member States will create
divergent approaches to implementation which ultimately undermine the
Digital Single Market and disproportionately limit the ability of
international companies to operate across Europe. These include the
ability for Member States to develop security measures for Operators of
Essential Services (Critical Infrastructure) at the national level,
rather than utilizing international standards, and to introduce
divergent thresholds and reporting requirements for significant cyber
incidents.
Digital Piracy: Many EU economies have invested in building
comprehensive and effective IP frameworks through domestic legislation,
judicial decisions, and IP provisions in new trade agreements. In the
U.S. Chamber Index, six EU economies--the UK, Sweden, France, Germany,
Ireland, and the Netherlands--all score closely behind the U.S. due to
the strength of their IP frameworks. However, copyright protection
continues to be one area where the EU economies' IP legislation and
enforcement consistently falls short. In particular, online piracy
creates a significant impediment to digital trade throughout the
region. Both Spain and Italy, which otherwise have very strong IP
systems, suffer from continually high piracy rates. In order to combat
digital piracy, the EU's e-Commerce Directive provides the authority
for a court or administrative authority to require ISPs to terminate or
prevent copyright infringement by third parties that use their
services. The e-Commerce Directive also lays out the basis for
injunctive-type relief against infringing websites in EU member states,
while still providing a safe harbor for ISPs. Recent case law from the
Court of Justice of the European Union and in individual EU countries,
including Spain and Italy, illustrates that countries are implementing
the tenants of the e-Commerce Directive to help combat digital piracy
and better protect copyrighted content online.
India
Privacy: Following the Indian Supreme Court ruling in August 2017
that declared privacy to be a fundamental right for Indian citizens,
the Indian government has to undergo the challenging task of preparing
privacy legislation, as directed by the Supreme Court. While no
proposed legislation has surfaced, this new regulation will have
significant impact on American companies operating in India. It is
essential that as India embarks on the process of developing a national
privacy framework, it bears in mind the important economic benefits
created by flexible approaches to the use of data, and the importance
of enabling cross-border data flows.
Foreign Direct Investment: The Department of Industrial Policy &
Promotion (DIPP) does not currently allow 100 percent FDI in e-commerce
incrementally in denoted sectors--and ultimately across all sectors.
FDI has been relaxed in the food retail sector, which has resulted in
the commitment of investment and opportunities to digitize markets for
farmers and growers. Similarly, other sectors which can benefit from
increased FDI flow need to be considered. Two sectors where it can be
taken up are `Digital products' and `Textiles'. Digital products refer
to computer programs, text, video, images, sound recordings, and other
products that are digitally encoded and produced for commercial sale or
distribution. These products are delivered over a digital network E.g.
Music tracks, video, software, newspapers, books. These are intangibles
its trade is deemed as trade of ``right to use'' or ``transfer of right
to use'' just as there is ``deemed sales'' or ``transfer of right to
use'' of tangible goods. These are the products which can be purchased
as well as consumed digitally. Typically, digital products include
Software (productivity tools, security software, databases, design
applications etc.), Audio visual products--movies and television
programs, Video games, Digital images and products, E-books, Music
files etc. The textile industry is currently under major stress due to
several factors including GST, reduction in exports and tariff
advantages of other countries. An increase in FDI inflow to this
sector, which attracted only $1.5 billion in the last 15 years, will
ensure it reaches its potential. One of the ways of ensuring backward
flow of FDI is by allowing market access to textile products which will
ensure additional investment in the sector.
Digital Piracy and IP-related Intermediary Liability: Pervasive
digital piracy presents a significant challenge for creative industries
operating in India. The International Intellectual Property Alliance
(IIPA) discusses the scope of the problem in their 2018 Special 301
submission, noting ``A September 2017 consumer survey of active
Internet users in India showed that 94 percent of those surveyed
downloaded pirated music content in the last six months. . .In a one-
month period, the motion picture industry estimates that 63 million
visitors accessed the top five piracy websites (mostly torrent sites)
in India for motion picture and television content, accounting for 440
million page views.'' Further, studies have shown that 60 percent of
software in India is pirated, creating an enormous cyber-security risk
for Indian businesses and consumers. Despite high levels of software
piracy, music piracy, and counterfeit goods, Indian law remains unclear
about the availability and requirements of a notice and takedown system
to combat online piracy.
However, in what is otherwise a challenging copyright environment
in India, a positive trend has emerged over the past few years with
rights-holders increasingly being able to defend and enforce their
copyrights through injunctive relief. Since 2012 there have been a
number of cases whereby access to websites offering pirated and
infringing content has been disabled through court orders, including
notorious international sites like The Pirate Bay. Injunctions have
been issued by both the High Court of Delhi and High Court of Bombay
with the Department of Telecommunications instructing Indian Internet
Service Providers to carry out the order. While the case law and
procedures are still evolving (particularly with regards to disabling
access to only specific URLs versus entire websites), we hope that this
development will act as a strong deterrent against online piracy in
India.
Indonesia
Data Localization: The Indonesian government's issuance of
Government Regulation No. 82 of 2012 on Electronic System and
Transaction Operation (``GR 82/2012'') creates significant barriers for
U.S. firms. In particular, it requires Electronic System Operators
(ESOs) for public services to place a data center and disaster recovery
center in Indonesia for the purpose of upholding justice, safeguarding,
and upholding state sovereignty towards its citizen's data. While
public services is not defined in the bill, it is defined elsewhere in
Public Services Law (Law No. 25 of 2009). A company considered to be
carrying out public services appears to be covered. The government is
currently reviewing the definition of public services and may expand
the regulation to include all services. Other aspects of GR 82/2012
erect significant barriers to entry, including disclosure of encryption
used in providing e-services and providing the encryption key to the
government. The U.S. Chamber has repeatedly encouraged the government
not to proceed with this regulation.
Over-the-Top Services: In 2016, Indonesia proposed regulations
known as ``the Draft Regulation on the provision of applications, and/
or content services through the Internet OTTs.'' In August 2017,
Indonesia's Ministry of Communication and Information Technology (MCIT)
released a new draft. Some changes were made, but issues remain
requiring OTT providers to set up a permanent establishment in
Indonesia, offer terms of service in Indonesian language and use
Indonesia's national payment gateway.
The proposed measures will be prohibitively burdensome for start-
ups and small-scale businesses that lack the resources to establish
operations in Indonesia. Indonesian consumers will also be denied
access to the full benefit of global online services and will harm
Indonesia's competitiveness in the digital economy. On tax issues,
Indonesia has supported a collaborative approach globally in the
context of the Organization for Economic Co-operation and Development's
(OECD) ongoing work on base erosion and profit shifting (BEPS). A
departure from this approach toward sector-specific tax requirements
before OECD's BEPS project is fully implemented will inadvertently
create barriers to entry and discriminate against foreign providers in
ways that are inconsistent with Indonesia's international trade
commitments. Keeping the Internet open and free of barriers is critical
to Indonesian consumers' enjoyment of the Internet and to enabling
Indonesian businesses to remain competitive in the increasingly
digitalized global economy.
Local Content Requirements: The government also has several
regulations regarding local content requirements, for example
regulation 68/2015 from the Ministry of Industry imposes local content
requirements on the manufacturing and development of mobile phones and
communication devices.
Indonesia maintains a number of protectionist policies, some of
which are not enforced in practice, which keep out legitimate content,
including a proposed 60 percent local content screen quota, onerous
pre-production content review requirements, a prohibition on dubbing
imported films, local replication requirement, foreign investment
limitations, and other restrictions on the audiovisual industry.
Under the Presidential Regulation no.54/2010 Article 104, foreign
companies are only allowed to bid for a government procurement project
if the bids exceed the threshold of IDR 20 billion (�USD $1.49 million)
for goods and other services and IDR 10 billion (�USD $744,000) for
consulting services. Moreover, in order to promote optimized use of
domestic goods and services, government entities are to give
preferential treatment in the form of price preferences to domestic
goods and services providers, as stipulated in the Presidential
instruction No. 2/2009. While cross-border ICT service providers are
not excluded from government procurements, such protectionism puts them
at a disadvantage.
Digital Piracy and IP-related Intermediary Liability: The creative
content community faces significant challenges in Indonesia. Digital
piracy is persistent, enforcement is wholly insufficient, and courts
are mostly ineffective. A significant and continued investment of
resources and training for enforcement entities and courts and high-
level political commitment is needed.
Indonesia has made meaningful improvements over the past year,
though significantly more needs to be done given the scale and scope of
piracy in Indonesia's market. In a positive development, the 2014 Act
provided new tools to combat online infringement and the circumvention
of technological protection measures (TPMs). Regulations implementing
the law (Regulations No. 14 and 26) were enacted in July 2015,
providing new administrative remedies in response to websites that
facilitate infringement by disabling access to primarily infringing
websites. Additionally, the Creative Economy Agency established an
anti-piracy task force in the second half of the year. These new tools
have already proven useful and suggest new dedication to anti-piracy
efforts within Indonesia.
Nigeria
Data Localization: Since 2011, Nigeria has required all point-of-
sale and ATM transactions to be processed within Nigeria. In December
2013, the National Information Technology Development Agency (NITDA)
issued Guidelines for Nigerian Content Development in Information and
Communications Technology (the NITDA Guidelines) applicable across a
wide range of of ICT products and services in Nigeria, which has come
under subsequent revisions. The Guidelines put restrictions on the
cross-border flow of data requiring that all consumer data collected by
companies in Nigeria be stored locally.
Local Content Requirements: The Nigerian government is proactively
encouraging local content development in an attempt to boost the local
economy, enhance skills and capabilities, and boost employment.
Nigerian content regulations started from strategically important
sectors such as the oil and gas industry. In 2010, the Nigerian Oil and
Gas Industry Content Development Act 2010 No. 2 was introduced.
According to this act, IT management consultancy services and data
management services procured by oil and gas companies are subjected to
50 percent Nigerian content, while other Information Systems (IS)/
Information Technology (IT) Services require 75 percent of Nigerian
content.
According to the NITDA Guidelines, the design, procurement,
testing, deployment, maintenance and support shall be executed by
Nigerian indigenous ICT Companies, Nigerian subsidiaries of
international ICT OEMs, or Nigerian partners of international ICT OEMs.
For example, companies determined to be Original Equipment
Manufacturers (OEMs), for example, are required to maintain at least 50
percent local content by value, assemble all hardware within Nigeria
and maintain fully staffed facilities for this purpose, and maintain
in-country research & development departments.
International ICT companies are required to submit a local content
development plan to NITDA, detailing creation of jobs, recruitment of
local employees, human capital development, and value creation in the
industry. Furthermore, ICT companies are required to host all consumer
and subscriber data locally. Moreover, government data is mandated to
be hosted in Nigeria within 18 months of the coming into effect of
these guidelines. In other words, the government is attempting to
reduce Nigeria's reliance on cross-border ICT services. However, there
have been challenges in implementing the guidelines and in October 2015
the Nigerian Government issued a notice in mandating compliance.
Russia
Data Localization: Russian Federal Law No. 242-FZ companies
collecting the Russian citizen personal data to store and process the
data on Russian territory. Subsequent guidance from the regulator,
Roskomnadzor, outlined that foreign companies are only able to send
data outside of Russia as long as it was collected with the use of
local infrastructure and remains stored and processed on that same
infrastructure. If companies do not comply, their access to the market
and these services can be restricted. This has forced both U.S. firms
operating in Russia or providing services from the U.S. to rewire their
operations, consider exiting the market, or buying server space in
Russia to provide the same services at a higher cost.
Federal Law No 374-FZ provides Russian agencies with the authority
to request access to company-held data. It also requires
telecommunication companies and Internet service providers (ISPs) to
keep metadata and the contents of a communication sent through their
services in Russia. Further, ISPs are required to provide the Russian
authorities information necessary to decrypt Internet communications.
Local Content Requirements: In its efforts to diversify and
modernize its economy, the Russian Government has increasingly focused
on erecting localization barriers and mandatory localization
requirements for foreign entities to access the Russian market. The
``New Digital Society Strategy 2017-2030'' approved in May 2017
contains a number of localization policies including the location of
databases and data within Russia and online payments to be made through
Russian payment systems. Further restrictions have also been put in
place for foreign ownership of online content providers.
Digital Piracy and IP-related intermediary liability: Although
online piracy remains a serious problem in Russia, the Government has
taken a number of important, positive steps to provide new tools to
address the issue. In 2013 and 2014, the Russian Federation signed into
law amendments to the Civil Code Part IV, which included notice and
takedown obligations to intermediaries upon notice of infringement by a
rights holder and allows for disabling access to infringing sites in
the event of repeat infringement. With regards to the application and
enforcement of the 2013 and 2014 amendments, reports from the Russian
government suggest that traffic onto websites with legitimate content
was increasing as a result of the law; however, in other areas
enforcement challenges persist. For example, online piracy rates
continue to remain high in Russia. VK.com remains one of the most
visited websites in the world and is included in USTR's Notorious
Markets Report.
In 2017 further legislative changes were introduced to strengthen
rights-holders ability to request the disabling of access to infringing
material online. Specifically, there were a number of important
amendments to the ``Law on Information, Information Technologies and
Information Protection.'' These amendments include the ability of the
court to extend injunctive relief against so-called mirror sites that
infringe copyrighted content. In addition, rights-holders now have the
option of notifying the Ministry of Communications, which has two days
to order the hosting provider to disable access to the site.
Furthermore, Internet mediators (including search engines) are now
obliged to remove links to sites that have been found to host illegal
content. These are positive developments and show how Russian
authorities are actively seeking to address the immense challenge of
online piracy.
South Korea
Cloud Computing: The Cloud Computing Act (CCA) and related Data
Protection Standards for Cloud Computing Services (CCPA) discourage
U.S. cloud services providers from entering the market. In September,
2015, the Ministry of Science, ICT and Future Planning (MSIP) enacted
The Act on the Development of Cloud Computing and Protection of Use,
commonly referred to as the Cloud Computing Act (CCA), with the
intention of developing Korea into a $3.9 billion cloud services market
by 2018. Unfortunately, government agencies responsible for setting
specific security guidelines for public institutions' use of cloud
services have created a patchwork of competing directives and continue
to erect barriers to entry that favor local cloud service providers.
U.S. industry applauds the legislative intent of the CCA. In
practice, however, the law deters U.S. cloud service providers from
entering the Korean market. The current Data Protection Standards for
Cloud Computing Services (CCPA Guidelines) require data separation and
network separation for all public institutions utilizing cloud
services. In Korea, this includes financial services, healthcare,
educational and government institutions. First, the requirement to
separate the data from the public cloud require U.S. companies create
separate intranets for these institutions, which mitigates the
efficiencies that cloud computing. On the second requirement, network
separation, companies are required to build physical servers in Korea,
which is prohibitively expensive.
These approaches undermine the efficiencies of cloud computing by
limiting the ability of cloud providers to leverage the economies of
scale of an international infrastructure. This will ultimately deter
cloud computing technologies from becoming ubiquitous in Korea, and
will create unnecessary roadblocks for Korean firms that could benefit
from such technologies.
U.S. cloud service and financial service providers face a unique
set of challenges in Korea, due to the physical network separation
requirements established under the Regulation on Supervision of
Electronic Finance.
The Financial Services Commission (FSC) requires the physical
network separation of the information processing system of financial
companies in its Regulation on Supervision of Electronic Finance. This
requirement prevents the introduction of cloud computing services in
the financial services sector. In addition, when the cloud service is
allowed, it can be introduced only to a ``non-critical information
processing system'', which is vague and makes the introduction of cloud
service extremely difficult in this sector. In all, this excessive
regulation restricts the use of cloud computing services in the finance
industry, which is contrary to the Korean government's policy to
nurture and promote the cloud industry.
Data Localization: Data localization requirements have improved in
many ways, however, challenges remain for U.S. financial service
providers and reinsurance companies.
In June, 2015, the FSC released a revision to the Regulation on
Financial Institutions' Outsourcing of Data Processing Business and IT
Facilities, however the revisions have not been fully implemented. The
revision sought to eliminate a provision that restricts offshore
outsourcing to a financial firms' head office, branch and affiliates to
allow outsourcing to a third party including a professional IT company.
However, there remain some areas where companies are unable to
transfer data across borders. For example, Korean branches of U.S.
reinsurance companies are not allowed to transfer personal information
offshore for data processing or storage, and similar restrictions exist
for financial services providers. This creates inefficiencies,
increases the risks of hacks and leaks, and puts at risk a company's
ability to recover critical data in the event of natural or other
disaster situation. Similarly, U.S. cloud service providers feel that
barriers remain with regards to the transfer of certain types of data
to professional cloud service providers.
Discriminatory and redundant local certifications are required in
addition to globally agreed upon standards and commitments, preventing
the adoption of best practices related to cybersecurity, privacy, and
encryption.
Standards: The United States and Korea are both members of the
Common Criteria Recognition Arrangement (CCRA), under which products
certified at any CCRA-accredited laboratory should be recognized as
meeting the certification requirements of any other CCRA member
country. Despite this agreement, the Korean government requires
additional verification of network equipment such as routers, switches
and other information security products procured by public sector
agencies. Compounding the burden, individual government agencies
require their own separate conformity testing, even if the same product
has been procured and verified by another government agency. This
additional certification process is overly burdensome, and deters the
adoption of best cybersecurity practices and equipment by Korean
government agencies.
Since 2011, the Korean government has imposed these additional
verification requirements, and in 2014 extended similar security-
conformity testing requirements to all international CCRA-certified
products used by all central government agencies. The government is
expected to extend this policy to include all public organizations
including local governments, hospitals, and educational institutions.
There is concern from the private sector that these guidelines have
been interpreted as requirements to buy local IT products and avoid
foreign ones. Although the Korean government has tried to clarify these
policies to government agencies, there has been no change in their
implementation.
In addition, public sector agencies procuring networking equipment
have increasingly required the incorporation of encryption
functionality that need to be domestically developed and certified
(e.g., ARIA and SEED), which in effect deems the use of widely-used
international encryption standards such as AES as inadequate. As a
result, products such as virtual private networks and firewalls from
U.S. companies cannot be sold to Korean public sector agencies. Going
forward, Korea should ensure that products that are based on widely-
accepted international standards have full access to Korea's public
sector market.
South Korea also requires issuance of accredited certificates using
Public Key Infrastructure (NPKI) by law. This is a technology
recognized on the Internet and offers various supplementary services,
including e-commerce and electronic banking activities. It also
requires users to obtain accredited certificates when accessing South
Korean government websites such as Yestrade (South Korea Export
licensing system) and UNI-PASS (South Korea Import System). When the
accredited certificates are obtained, they require many plugins and
add-ons to install on the user's computer. This is burdensome and an
unnecessary security standard because these plugins and add-ons can
change a company's standard configuration and can cause other potential
problems and risk to the user's computer
Privacy: There has been some concern that the Korea Communications
Commission and other regulators believe that Korea's existing Personal
Information Privacy Act (PIPA) offers stronger protections than the
APEC cross-border privacy rules system which Korea recently joined.
U.S. industry fears similar duplicative requirements will be imposed on
CBPR compliant companies, once adopted. It is our strong view that this
approach would undercut the efficiencies gained by the APEC CBPR
system, and U.S. regulators and certifiers should work closely with
their counterparts in Korea to ensure that the CBPR system functions in
the way it is intended to.
Bandwidth Costs: Bandwidth costs in Korea continue to rise, despite
costs falling on a global scale. South Korea may be the only country in
the world where bandwidth costs are rising. This trend is likely driven
by a combination of directives from the Ministry of Science, ICT and
Future Planning designed to lower costs to consumers, and powerful
incumbents trying to offset them. One new regulation mandates the
commercial terms of interconnection, contrary to the model for
`peering' that is used across most of the world. Another sets a
prescriptive rate at which bandwidth prices should fall per year at 7.5
percent, slower than the average bandwidth price drops around the rest
of the world.
Customs: Complex border measures and customs procedures are
creating barriers for small and medium sized enterprises (SMEs) to
leverage e-commerce opportunities.
E-commerce has grown tremendously in recent years, and the
emergence of new e-commerce platforms has allowed for small and medium
sized companies to reach new customers across the globe. It has also
created a surge of low-value, cross-border shipments. In response to
the increased volume, governments have sought to introduce new border
measures such as x-ray screening, additional paperwork requirements,
and new e-commerce channels, however, such efforts are making trade
more complex for SMEs (many of whom are new, and inexperienced
shippers) and limiting their ability to fully leverage e-commerce
platforms and the opportunities they create.
Procurement: SME procurement preferences are interpreted as
domestic procurement preferences. Korea, similar to the United States,
provides for SME procurement preferences under certain circumstances.
However, in Korea, the preferences are interpreted by government
procurement agencies as a preference for domestic products, rather than
to assist SME companies who can resell products and solutions sourced
internationally. Directives such as ``Guidelines on IT network
equipment installation and operation'' for public sector agencies
stipulate the use of testing and certification requirements that are
met only by domestic products and fail to recognize and accept products
that meet global certifications.
Online Travel: Online travel agencies are unable to offer non-
refundable hotel rates in Korea, limiting consumer choice. In an effort
to increase consumer protections, online travel agencies face
regulations in Korea that ban non-refundable hotel rates. Ironically,
such regulations actually harm consumers by raising prices, and over
time, harm the tourism industry -including the complimentary businesses
associated with it.
Digital Piracy and IP-related intermediary liability: To combat
digital piracy, Korea has in place an administrative mechanism for
responding to rights holder requests for removing access to infringing
content online. The legal basis is found in Article 102(2)f of the
Korean Copyright Act, which provides limited liability for ISPs that
respond to a court or related administrative body order to delete or
disable access to infringing content. In the case of Korea this order
comes from the Korean Communication Standard Commission (KCSC), but
based on a request from the Korean Copyright Commission (which in turn
responds to rights holder notices of infringing content and sites).
Industry reports suggest that as of 2017 access to over 400 infringing
websites have been disabled in Korea under this mechanism. A 2016 study
by the Motion Picture Association found on significant impact from the
mechanism, including on average a 90 percent drop in visits to disabled
sites within three months of an order. In addition, following 3
instances of disabling a given site, the data suggested a 15 percent
drop in visits to infringing websites and 50 percent reduction for P2P
sites specifically. However, it should be noted that site disabling at
the request of the Korea Communications Standards Commission more
generally is not always used transparently or independently, with some
concerns over censorship from civil society organization reported.
Thailand
Digital piracy and IP-related intermediary liability: Digital
piracy is pervasive across Thailand. The Motion Picture Association of
America reports ``In one month, there were twenty times the page views
to the top five piracy sites in Thailand as there were page views to
the top five legitimate Websites.'' The Thai government has taken steps
to close loopholes in the Thai law through amendments to the Copyright
Act; however, in several instances they are missing key language or
provisions that would allow them to effectively limit infringing
activities, particularly in the online sphere. Sections 28/1 and 69/1
make camcording in public venues an infringement, although the language
is not as strong as that in other economies--only actual reproduction
is criminalized without specifically including intent to copy and
distribute, essentially precluding preventative enforcement. No
landlord liability was introduced, which means that physical shops
selling pirated goods are not held liable as intermediaries. The
amendments introduce liability for ISPs and a kind of notice and
takedown system but with several limitations that render the new law
significantly less effective than anticipated and not a true notice and
takedown mechanism. ISPs are not liable for non-hosted material,
regardless of if they have knowledge that it is infringing. In
addition, rights holders' notices must be accompanied by a court order
for ISPs to be responsible to respond. In addition, the amendments
involve a high burden of proof to demonstrate infringing sites. The
2015 amendments to the Computer Crimes Act reinforce these same
requirements and as such do not contribute to closing these loopholes.
In 2014-15, rights holders reported a good rate of response (90
percent) from mainstream ISPs (though not for non-hosted content);
however, the new rules may jeopardize this trend. In terms of
exceptions to copyright, among other exceptions, Section 32/9 of the
copyright amendments introduce a wide exception for use by disabled
persons that goes beyond the Marrakesh Treaty. Also, negligence
continues on the Thai government's part to book piracy in educational
institutions, including in relation to broad interpretations of the
disabled person's exception. In addition, unauthorized access to and
retransmission of pay TV and satellite programing as well as unlicensed
public performance of copyrighted works (e.g., at entertainment venues)
remain major challenges on the ground.
Turkey
Data Localization: In 2013, Turkey enacted the Law on Payments and
Security Settlement Systems, Payment Services and Electronic Money
Institutions. This law requires Internet-based payment services to
store data within Turkey for at least ten years.
Privacy: Turkey finalized its Law on the Protection of Personal
Data in 2016. Turkey's newly formed DPB is tasked with implementing the
law and determining whether other countries provide an adequate level
of privacy protection. The Law places heavy obligations on data
controllers and processors, requiring consent to be explicit for the
processing of non-sensitive and sensitive personal data.
While personal data can be transferred to a third country, because
the processing grounds available for sensitive personal data are very
limited the transfer of sensitive personal data is incredibly
burdensome. Further, if the grounds for data processing and transfer
are anything other than explicit consent then the third country must be
deemed to have an adequate level of data protection. If a country is
not deemed adequate, then the DPB must provide permission for each
transfer.
The DPB has come out with guidelines around the implementation of
the law. In particular, the law has several registration and record-
keeping requirements. Data controllers are required to register with a
publicly available data controllers' registry and provide their
``Personal Data Processing Inventory'' and ``Personal Data Retention
and Destruction Policy'' to the DPB.
Digital Piracy and IP-related intermediary liability: Online piracy
is still prevalent and problematic in Turkey. The Business Action to
Stop Counterfeiting and Piracy (BASCAP) estimates the size of the
pirated and counterfeit market at close to USD11 billion, with
unlicensed digital content up to one-tenth of that value and unlicensed
software representing half of the value of unlicensed digital content.
Turkish copyright law lacks a clear obligation for ISPs to
expeditiously cooperate with rights holders when they have knowledge of
infringement without an official order from a prosecutor's office or
court. However, a basic notice and takedown mechanism, whereby rights
holders may notify ISPs and if there is no response pursue a takedown
through the courts, as well as requirement for ISPs to respond to a
court's order, is present in Additional Article 4 of the Copyright Law.
In addition, the Internet Law (No. 5651) provides for the takedown or
disabling of access to websites for matters of ``national security,
restoration of public order and prevention of crimes,'' which can
include copyright and trademark infringement.
Under the law, courts may issue orders for service or hosting
providers to disable access to sites infringing the law. Law 5651 also
established a central body of ISPs (Association of Access Providers),
which is required to respond to courts' orders and may also receive
notices of violation from the private sector. Industry reports suggest
that having such a ``one-stop shop'' for submitting notices or
directing orders has aided in growth in responsiveness by ISPs in the
past year, including notices from copyrights holders. As a result the
score for indicator 12 rises by 0.25. In addition, some sites, such as
the The Pirate Bay, have been disabled under court order in the past.
Nevertheless, the Association of Access Providers and the Internet
Law more widely tend to be used more frequently for political-related
site disabling. Copyright amendments introduced in 2016 and under
discussion in 2017 would establish, among other elements, a new Center
for Combating Digital Violations within the Ministry of Tourism and
Culture. The new Center, if implemented, is intended to become a
copyright-focused body for handling rights holder notices.
Local Content Requirements and Technology Transfer: Turkey has had
in place a regime that discriminates against foreign companies and
products for over a decade, but in 2014, these types of barriers
intensified and took on a nature that is likely to involve sharing of
proprietary know-how and assets. Public Procurement Law No. 4734,
introduced in 2002, provides up to a 15 percent price advantage to
local goods in government tenders. The goods that qualify for such a
preference have up until now been determined annually by the Ministry
of Science, Industry and Technology. In 2014, the threshold for being
considered a local product was raised considerably as part of
Communique 2014/35, issued in September 2014. Specifically, in order to
be considered a local product, at least 51 percent of the total cost of
manufacturing must be derived from local materials or labor. In
addition, substantive stages of the manufacturing process must take
place locally. Requiring foreign companies to localize production in
Turkey to this extent likely entails transfer of IP rights to domestic
entities in some, if not many, cases.
Vietnam
Data localization: IT infrastructure requirements which directly
benefits local IT service providers exist in Vietnam. Decree 72/2013/
ND-CP on Management, Provision, and Use of Internet Services and
Information Content Online stipulates that information service
providers on mobile telecommunication networks, news or general
information websites, game service providers, and social networks are
required to locate one server system in Vietnam for the inspection,
storage, and provision of information at the request of competent
authorities, and settlement of customers' complaints. This regulation
deters the affected companies from procuring other form of
infrastructure related cross-border ICT services as it would incur
additional cost for creating redundancies for their data offshore.
While having a disaster recovery data centre has its merits, the
additional cost for the service would deter companies with limited
budget for IT such as SMEs.
Local Content Requirements: Only Vietnamese organisations or
individuals are allowed to provide IT services to state bodies. These
rules not only limited the benefits of a geographically disbursed
infrastructure, but also put foreign IT service providers seeking to
offer services in Vietnam at a disadvantage.
Cybersecurity: The Vietnamese government has released several
drafts of a new cybersecurity law. Draft 15 of the Vietnamese Law on
Cybersecurity contained a number of concerning provisions, including:
Data localization and the localization of gateways
Consent requirements in order to transfer personal data out
of Vietnam
The regulation of a broad range of online content in the
absence of specific court orders. Such content includes very
broad definitions of offensive speech and expression. Moreover,
such content must be removed within a 24 hour period.
Local representative office requirements
The scope of areas and entities covered under the law is also
unnecessarily broad, creating burdens on industry which are in many
cases unnecessary, and which will likely overwhelm regulators that are
charged with implementing the law. This approach will discourage or
prevent foreign companies from operating in Vietnam, while doing
nothing to increase the cybersecurity of operators of Critical
Infrastructure.
Digital Piracy and IP-related intermediary liability: Pervasive
digital piracy has undermined the growth of legitimate creative content
industries in Vietnam. The significant increase in content-providing
sites has meant that piracy over streaming, P2P, and linking sites as
well as cyberlockers and social networks has contributed to the
persistently high piracy rate. For instance, according to Department of
Film, today there are estimated 400+ local websites that provide access
to tens of thousands of unlicensed films. A popular music website,
Zing.vn, was recently listed on the USTR's List of Notorious Markets in
relation to providing access to unlicensed music.
Recognizing the scope of the piracy problem, the Vietnamese
government issued a Joint Circular in 2012 which requires various ISPs
(including social media networks) to issue warnings to infringing
users. Although industry reports somewhat greater cooperation in
takedown from ISPs in response to cease and desist letters from the
Ministry of Information and Communication (MIC) and the Ministry of
Culture (MCST), volume is still highly disproportionate to the scale of
piracy, especially in relation to commercial-scale infringing sites.
______
U.S.-India Business Council
May 3, 2018
Ms. Nanda Dave,
Reserve Bank of India,
Mumbai, India.
Re: Reserve Bank of India (RBI) Notification on Mandatory Localization
of Payment System Data in India
Dear Ms. Dave:
USIBC commends the Government of India's for its continued
commitment to a less-cash, digital payments driven ecosystem in India.
USIBC members are wholly committed to be partner in achieving the goals
and vision of Less cash and Financial inclusion agenda. It is in this
spirit that we bring concerns with the new requirement for mandatory
localization of payment system data to your attention.
On April 6, 2018, the Reserve Bank of India published The
Notification on Storage of Payment System Data (Localization
Requirement) mandating payment system operators (POSs) to store payment
system data only in India. The Localization Requirement was issued
without any consultation with industry stakeholders even as it
represents a significant and fundamental shift in the regulatory
architecture for digital payment systems in India. The provisions are
very broad and in key areas subject to interpretation and ambiguity.
USIBC and its members assume the regulatory intent to be driven by data
access, cybersecurity, privacy and fraud prevention concerns. While
important and necessary goals, the localization requirement may not be
the best mechanism by which to achieve these objectives and may in fact
undermine the ability of industry stakeholders to detect, prevent, and
mitigate global financial crime, frauds and breaches thereby increasing
the cyber vulnerability in the system and in particular for India as a
country.
The implementation of a mandatory localization requirement in India
may also run counter to anti-money laundering requirements in the
international jurisdictions create conflicts of both within and outside
where India is not aligned with international best practices.
USIBC members remain respectful of RBI's concerns of Indian users'
payment data and need for unfettered supervisory access. At the same
time, the payment storage ``only in India'' has fundamental negative
impact Global Payment operators operating and business model. The
Directive significantly impacts the ability of global payment platforms
to combat global financial crime and fraud for Indian users.
The mandate places severe constraints on global industry's ability
to bring the latest innovations and technologies to Indian users and
support the Indian Government's and RBI's less-cash vision.
USIBC respectfully requests a reversal or an indefinite stay on the
implementation of the Localization Requirement and welcomes an
opportunity to collaborate with the Government of India and RBI on
identifying the best path forward to address the regulatory concerns.
The detailed discussion on the potential negative implications of
the data storage ``only in India'' requirement and the Localization
Requirment in general are set out below in Section I. This is followed
by recommended areas for clarification in Section II.
Implications of the Requirement for Mandatory Localization of Payment
System Data
1. Ease of Doing business in India for multinational companies
The Localization Requirement comes precisely at a time when India
continues to refine policies towards further improvement in its ranking
on relevant global indices. This effort was reflected in India's jump
of 30 places in the World Bank's Indices, the highest of any country in
such a short period of time.
The Localization Requirement could potentially undermine the
otherwise positive global perception of India as attractive destination
for foreign direct investment. One of the foundations of ease of doing
business is regulatory certainty which provides investors and USIBC
members with confidence to base their future expansion and invest
plans. The current move would undermine this confidence.
The Ease of Business concept encapsulates not only the process by
which new regulation is generated, but also the substance of the
provisions and the nuanced balance between cost and benefit they
ultimately create. The Localization Requirement would significantly
raise costs for both companies and Indian users and consumers, and
potentially introduce new risks in the payments ecosystem. Meanwhile,
the regulatory benefits remain unclear and/or outweighed by these costs
and inefficiencies.
2. Unintended Negative Impact on Cybersecurity and Reducing Risk--
Disaster Recovery and Mitigation Plans
As India moves towards its digital payments vision, policymakers
have rightly focused on the need for cybersecurity and minimizing
digital risk within their markets. All market participants, whether
they are consumers or payment system operators, benefit from a strong
cybersecurity regime. A large-scale breach in India would severely
affect Indian users' confidence in the payments system and would raise
reputational issues for the India as global power. The mandate forces
all payment data to be stored only on soil which significantly raises
the risk of India a single destination and visible target for cyber-
attacks on Indian payments data.
Global experience demonstrates that localization requirements can
unintentionally have the opposite impact. They introduce cyber
vulnerabilities into otherwise secure global networks, put transaction
data at risk, reduce efficiencies, and increase the risk of cyber-
attacks. Localization mandates can also impact global payments
companies' abilities to detect, mitigate, and prevent security breaches
and provide best-in-class disaster recovery and business continuity
plans.
Furthermore, alternative solutions may be available to achieve
these same regulatory objectives. For example, the stated intent of
unfettered supervisory access could also be achieved without the
mandate of ``only in India''. Having a mirror image post processing
copy of the data in near real time might potentially satisfy the
``objective of unfettered supervisory access''; however, depending on
the parameters defining scope of data and ``unfettered access'', a
post-processing copy can also create added vulnerabilities, risk, and
commensurate additional resources for housing, security and access.
USIBC stakeholders are best placed to identify these solutions and can
work with policymakers to ensure they satisfy regulatory oversight
goals.
3. India stands to gain from an Open Cross-Border data flow regime and
localization is a race to the bottom
India has been one of the biggest beneficiaries of open cross-
border data flows. The world-class Indian IT/ITES industry provides
services and data analytics as well as BPO/KPO hub services to over 80-
90 countries. India can continue to be a global leader by fostering
free cross-border flow of data and enterprise services.
India's open market and open society approach has created one of
the most vibrant and competitive payments ecosystems globally. Both
Indian and international companies play a role in supporting RBI's
less-cash vision. Currently there no mandates in major economies that
restrict Indian fintech or payment companies from providing their
services from India to users in these countries.
Global experience shows that when one nation proposes data
localization that impacts foreign firms, other countries tend to
respond with similar requirements. Any such counter responses in the
current situation could severely hamper the Indian IT/ITES industry and
serve as a chilling effect on interests globally. Retaliatory
regulation raises costs across the digital payments ecosystem, limits
choice and competition. Futher, given that such regulations often don't
contain ``sunset'' provisions, the market distortions they create have
a long-term impact on the economy.
USIBC members do not see asymmetric arrangements in the storage and
processing of data as sustainable on a long-term basis, particularly
with respect to the Prime Minister's goals of fostering growth of the
digital payments economy as a key component of international trade.
USIBC also notes that the responsible development of a digital economy,
and India's fullest participation in it involves recognizing the
importance of a properly managed cross-border data flows bolstered by
clear norms around privacy and data protection.
4. Stakeholders not Consulted in the Regulatory Development Process
The Localization Requirement took USIBC and its members by surprise
given the scope and breadth of the provisions and the lack of
consultation with stakeholders. A localization mandate of this nature
fundamentally changes the regulatory architecture within a jurisdiction
and raises complex issues for the payment system operators required to
comply with its provisions. Stakeholder consultation is critical to
articulating the costs of such a requirement on business operations,
understanding the changes to the cyber threat landscape it may bring,
and evaluating the industry's continued ability to effectively identify
and prevent breaches. This assessment would help answer the question of
whether the proposed requirement does in fact deliver the intended
benefits regulators seek. USIBC respectfully recommends that the
Government of India and RBI undertake such a consultation to understand
these costs and benefits before moving forward with implementation of
the Localization Requirement.
5. Need for Clarification on the Scope of the Localization Requirement
The Localization Requirement is very broadly written and creates
ambiguities about the type of data that must be stored and the ways in
must it be kept in India vis-a-vis other jurisdictions. In addition,
the requirement provides an exemption for the ``foreign leg'' or cross-
border segments of a transaction, but does not define the term and it
remains subject to interpretation. This in turn raises concerns as to
compliance with other international anti-money laundering requirements
foreign operators may be subject to in the other jurisdictions in which
they do business. Clarification on these and other related issues will
help USIBC and its members more fully assess the true implications of
the new requirement.
6. Coordination with International Laws and other Data Regimes
International payment companies have global operations and are
required to meet regulatory reporting and supervision requirements in
multiple jurisdictions. In its current form, the Localization
Requirement may restrict the ability of international payment companies
to meet their legal obligations in other countries of operation and may
be in conflict with applicable foreign laws and local laws like the
India Information technology act which allows data to be processed and
stored overseas with appropriate safeguards. As India considers a data
privacy framework, the Localization requirement should be developed
within the broader context of data privacy and protection, as opposed
to a separate, potentially conflicting stand-alone requirement. The
RBI's recent Inter Regulatory report on Fintech stressed the need for
national DPR and privacy law to enable the growth of Fintech ecosystem.
Data Protection Regimes in other jurisdictions may be helpful
reference points and provide `lessons learned' that Indian policymakers
can leverage as they deepen consumer protection in India. For example,
the `India only' requirement in the provisions effectively puts India
in a position of having the most stringent form of data localization
measures. Jurisdictions that have implemented localization requirements
have done so in a more nuanced form that contemplates the flow of
cross-border data and their experiences are important to consider. In
addition, the European Union's General Data Protection Regulation
(GDPR) and the APEC Cross-Border Privacy Rules (APEC CBPR) may provide
guidance on the data protection framework most appropriate for India.
Additional information is provided in Annexure 1 to this letter.
7. Accelerating India's Digital Payments Agenda
As India works to achieve its new target of 30 billion digital
transactions by 2019, the ability of global payments companies to
contribute to that goal will be more important than ever. The new
requirements could undermine global participants' ability to deliver
cutting-edge innovation in products and services, increasingly
sophisticated risk, security and fraud management applications that are
supported by analysis from complex global data sets, and collaboration
models that propel Indian payments solutions to reach global scale.
By its very nature, a digital economy is one that does not require
physical presence for its processes to operate most efficiently.
Further, the added cost of implementing and maintaining localization is
in direct contrast to India's stated objectives to reduce the cost of
transactions in order to maximize direct benefit to the economy.
In 2014, the European Centre for International Political Economy
examined the overall impact of localization measures in seven
countries--Brazil, China, the European Union, India, Indonesia, Korea,
and Vietnam--and found negative impacts on GDP and foreign investment.
They found that economy-wide data localization laws drain between 0.7
percent and 1.1 percent of GDP from the economy and that any gains are
too small to outweigh losses in terms of welfare and output in the
general economy.\1\ The impact of the Localization Requirement on
broader fintech services in India must be carefully considered.
---------------------------------------------------------------------------
\1\ http://www.ecipe.org/app/uploads/2014/12/OCC32014 1.pdf
---------------------------------------------------------------------------
1. Request and Clarification
1. Removal of the word `only' in Clause 2--Request RBI to allow
industry to implement appropriate methods to meet RBI's stated
objective of unfettered access and exercise supervisory control
of Payments data
2. Allowing both legs of the transaction to be retained overseas. A
plain reading of Clause (2i) of the Localization Requirement
suggests that one leg (i.e overseas leg of the transaction)
will be allowed to be retained overseas. For the purposes of
regulatory reporting, both legs of the transactions will be
required. Given the above, the Localization Requirement should
clarify that for transactions involving a foreign leg, all
transactions can be retained in foreign country.
3. Given that India is only a Receive-only Country, storage of
Senders' data on systems in India should be excluded. For
international remittances, India is a Receive country only. To
require the entire data of the transaction, including
information on Senders (which may include Sensitive
Information) may create difficulties for operators. In
addition, there may be some type of data storage requirement by
the Senders' countries.
4. The duration in relation to length of time such data needs to be
stored in India should be specified. Without any `sunset'
provisions, the Localization Requirement may create substantial
costs for companies and increase risk of market distortions for
digital payment operators in India.
5. Removal of any prohibition or requirements in relation to
transferring such data out of India. Given that the transfer
would be part of a contract between a company and the consumer,
there should not be any restriction on transferring of data,
notwithstanding data storage requirement.
6. Confirmation of the entities who must comply with the
requirements. A plain reading of the text suggests that
compliance with the circular is required by the licensed
entities to whom the circular is addressed (LE). The LE is
required to ensure compliance by service providers,
intermediaries third party vendors and other entities who
provide services directly to the LE in connection with
operating of the payment system. We request RBI to confirm this
position.
7. Confirmation of the scope of the Localization Requirement on
authorized dealers and the Foreign Exchange Department. A plain
reading of the text suggests that the activities carried out by
authorized dealers and instructions issued by Foreign Exchange
Department will not be governed by this circular. We request
RBI to confirm this position.
The Path Forward
USIBC and its members seek to work collaboratively with the
Government of India to achieve its vision for Digital Payments in India
and fully support the need for cybersecurity and fraud prevention
within the regulatory architecture. The significant changes implicated
by the Localization Requirement necessitate a reversal or an indefinite
stay on the provision to give the industry and policymakers an
opportunity to work together to find solutions that achieve the
intended regulatory intent and achieve the Government's vision for a
Digital India. To that end, we respectfully request an opportunity to
bring a delegation to discuss more fully the concerns outlined above
and provide any additional information that may be helpful in your
deliberations.
I look forward to continuing our dialogue on the issue and my staff
will follow up with your office. Please do not hesitate to direct any
questions to Nileema Pargaonker, Head of Financial Services,
[email protected] or Rohan Sirkar, Sr. Director, [email protected].
Sincerely,
Nisha Biswal,
President,
U.S.-India Business Council
U.S. Chamber of Commerce
______
Annexure 1
Summary view of Data Localization in other countries
------------------------------------------------------------------------
Payments Data localization mandate
Country ``only'' in the Country
------------------------------------------------------------------------
European Union No
------------------------------------------------------------------------
Russia No
------------------------------------------------------------------------
Indonesia No
------------------------------------------------------------------------
Canada No
------------------------------------------------------------------------
USA No
------------------------------------------------------------------------
Hong Kong No
------------------------------------------------------------------------
Singapore No
------------------------------------------------------------------------
Australia No
------------------------------------------------------------------------
Japan No
------------------------------------------------------------------------
India Yes
------------------------------------------------------------------------
Data Protection Regimes
The European Union General Data Protection Regulation (GDPR)
Europe's General Data Protection Regulation (GDPR) does not have any
data localization requirements. Under the European model, companies
have flexibility with respect to the legal mechanism they use for data
transfers. For example, under GDPR, companies have multiple options,
including Standard Model Clauses, Country Adequacy, Binding Corporate
Rules, and Privacy Shield.
The APEC Cross-Border Privacy Rules (APEC CBPR)
The APEC CBPR was endorsed in 2011 and is a voluntary principles-
based privacy code of conduct for data controllers in participating
APEC member economies, relating only to cross-border data flows.
Organizations within participating economies seeking
certification under the APEC CBPR must have their data
protection practices and procedures assessed as compliant with
the program requirements.
The APEC CBPR seeks to ensure compliance with normative
principles in order to ensure data is securely stewarded and
therefore preventing the need to require the on-shoring of data
for security concerns.
Other Major Data Protection Regimes in Asia
Other data protection laws in major financial, processing and data
analytics hubs that compete with India (e.g., Japan, Australia, Hong
Kong, Singapore and the Philippines) provide for a range of legal
mechanisms for companies to rely on for their cross-border data
transfers. These include: accountability, ensuring that the recipient
country has similar laws which protect the data, binding corporate
rules, contractual clauses, and consent. These countries notably do not
have data localization requirements for transaction data.
Other Data Regimes
Some countries (e.g., Indonesia, Russia and China) have data
regimes that contain certain requirements as to local storage and some
related restrictions. However, these requirements are more nuanced than
headlines would suggest. For example:
Indonesia has on-soil data centre and onshore processing
requirements. However, these do not prohibit the transfer of
transaction data outside of Indonesia.
Russia's Data Protection Law, while requiring a primary
database of the data to be onshore, does not prohibit the
transfer of transaction data or secondary copies of the data
off-shore and is limited to personal data.
China's Cybersecurity Law, which requires the onshore
processing of personal data and important data by critical
infrastructure operators, envisages the possibility of cross-
border transfers of such data when this is necessary for
business requirements and where this is subject to a security
assessment.
______
Response to Written Questions Submitted by Hon. Jon Tester to
Roslyn Layton, Ph.D.
Question 1. Many members of the panel mentioned the United States
needs to step up our level of engagement and join other like-minded
countries. In your opinion, which countries closest align with our
values on Internet freedom, privacy, and Internet of Things?
Answer. There are many countries which align with the U.S. on
freedom, privacy, and the digital economy. Probably the closest ally is
the United Kingdom, which not only enjoys close cultural and legal
affinity the US, but also deep economic ties with our in digital
economy.\15\ Importantly, the UK is less burdened by misguided EU
policies such as the GDPR, forced erasure, and other EU Internet
regulations.
---------------------------------------------------------------------------
\15\ http://www.aei.org/publication/brexit-bring-uk-ever-closer-us-
digital-trade/
---------------------------------------------------------------------------
While U.S.-EU relations may be strained at times, there is more in
common between the U.S. and EU than not. In any case, in the last two
years, significant goodwill has been advanced on the bilateral level in
some European countries including Denmark and Poland, a credit to the
indefatigable diplomatic and ambassador corps and officials from the
Department of Commerce and State. Despite of the Senate's glacial pace
of confirmations, acting and confirmed ambassadors to the EU have
worked tirelessly and have realized success. For example, Denmark is
the world's leading digital nation and desires to grow and strengthen
relationships with the U.S.\16\ Poland is a relatively large European
country (38 million) which has strong cultural and security ties to the
U.S. It has a many highly skilled workers and a significant industrial,
manufacturing base for high tech products. If a dialogue is strained
directly with the European Commission, the U.S. can work directly with
each European nation, and those nations can push the rational policy
forward in Brussels.
---------------------------------------------------------------------------
\16\ https://www.mercatus.org/publications/broadband-policy-
deregulation-denmark
---------------------------------------------------------------------------
While Japan and the South Korea may have adopted some misguided
policies on data transfer, the countries are security and trade allies
with the US. It is important that the U.S. maintain these relationships
and their exports are not lumped into the category of Chinese
technology. It should be explored how to lessen the data transfer
burdens considering the increasingly important role the U.S. plays for
military, security, and economic reasons.
More generally, the U.S. has allies in the many Asian nations which
are weary of Chinese influence. The U.S. should try to strengthen these
relationships. There is an important and valuable dialogue in the APEC
Privacy Framework.\17\ This framework is a proven and preferable
substitute for the GDPR. The U.S. should be more aggressive to
challenge the EU on the GDPR, particularly considering the significant
trade between the U.S. and EU in physical goods.
---------------------------------------------------------------------------
\17\ https://cbprs.blob.core.windows.net/files/
2015%20APEC%20Privacy%20Framework.pdf
---------------------------------------------------------------------------
In the Americas, the U.S. has a significant digital trade with
Mexico and goodwill having concluded a trade agreement. Such progress
is still possible with Canada, a relationship in which the two
countries have significant next generation broadband networks, digital
trade and exchange of technology workers.\18\ Colombia desires to the
information technology hub of South America, having just been invited
to the join the OECD. The turnaround of the country from a failed state
to a modern digital economy today is almost miraculous, and it
represents a policy success for the U.S. and the result of a long-term,
bi-partisan commitment established in the Clinton Administration.
---------------------------------------------------------------------------
\18\ http://www.aei.org/publication/claims-that-wireless-service-
is-too-expensive-dont-hold-up/
---------------------------------------------------------------------------
Another important ally is Israel which has a significant economy in
digital innovation.
Question 2. What forum (e.g., the United Nations, NATO, etc.) do
you recommend for facilitating an international discussion on rules and
definitions?
Answer. If Congress does only one thing, it should be to restore
the bipartisan consensus which has made the Internet a success in the
spirit of the 1996 Telecommunications Act. I applaud the committee and
the Senators on both sides of the aisle which have made an effort to
understand and address these issues. That both parties can have a
constructive dialogue on the issue of international Internet policy
will go a long way to set the tone for the many Federal agencies and
representative bodies in which the U.S. participates.
More broadly, the multistakeholder model (MSM) is not perfect, but
it still affords the best model of Internet governance. The MSM is not
a democratic body as such, but if the U.S. Government and American
stakeholders play a leadership role within the MSM--displaying a
faithful and authentic representation of American democratic values--
the MSM can be source for good and can help the U.S. regain its
leadership position in international Internet policy to amplify the
policy Congress defined for the Internet.
The U.S. won't have any credibility if its international Internet
policy is just about American companies making money. The U.S. must
also export a value system that legitimately empowers and rewards other
nations to participate in a free market Internet economy, respect the
rule of law and individual rights, limit regulatory distortion and
abuse, protect property, and deliver measurable improvements in quality
of life. This also includes measures to protect the vulnerable, notably
children.
Question 3. Before the United States can lead the charge
international, we must unify our own ``rules of the road.'' Does such a
forum currently exist, to your knowledge? How has private industry in
the U.S. tried to tackle how we define the rules of the road when it
comes to Internet security and governance? Which U.S. governmental
agency would you recommend take the lead and represent the United
States in international discussions?
Answer. The U.S. needs to reinvigorate the concept of ``Team USA''
when it comes to international Internet policy. I restate my comments
to NTIA here.\19\
---------------------------------------------------------------------------
\19\ https://www.ntia.doc.gov/files/ntia/publications/
ntia_iip_roslyn_layton_aei_final.pdf
---------------------------------------------------------------------------
The Internet makes the world more transparent and speeds
information. Increasingly America's companies are global, employ a
greater number of Americans, and account for a larger part of the U.S.
economy. While domestic policy is governed by a set of national rules
and institution, the conduct of international commerce and enterprise
requires a harmonization of international rules and norms. Harmonizing
international institutions with Constitutional concepts of rule of law
and individual rights offers the most fair, rational, and humane regime
for Internet policy. To the maximum degree possible, the diverse set of
American stakeholders should conduct this international dialogue and
negotiation with a spirt of playing for the same team, Team USA.
The Olympics offers an ideal vision for a global multistakeholder
model (MSM). While the Nation is a team, its athletes compete in
different events. Athletes are professional, sportsmanlike, and top-
performing. They play by the transparent and agreed rules and win
because of their skills, strategy, and passion on the field, not
because of a deal with the judges. Athletes respect their opponents and
share the camaraderie of experience. American stakeholders and
enterprises are as diverse as America's Olympic athletes and the sports
in which they compete, but they should all play for the same team, Team
USA.
When American companies do business abroad--whether they are
hardware, software, content, or telecom--they want a rational,
predictable, and consistent framework across the board. Such a
framework allows the firm to minimize costs, maximizes profit, and
ensure efficiency. To ensure the ideal framework abroad, companies
should advocate for the ideal framework at home. Therefore, the policy
should be a consistent set of rules for all players, grounded in
modern, evidenced-based standards of antitrust, and delivered by the
Federal Trade Commission.\20\
---------------------------------------------------------------------------
\20\ Bennett, Richard and Eisenach, Jeffrey A. and Glassman, James
K. and Howell, Bronwyn E. and Hurwitz, Justin (Gus) and Layton, Roslyn
and Bret Swanson, Comments on Communications Act Modernization (January
31, 2014). Available at SSRN: https://ssrn.com/abstract
=2388723
---------------------------------------------------------------------------
Cronyism, the unhealthy closeness between government and special
interests, is a process to win government-granted privileges and
favoritism.\21\ It upends the notion of public interest, that
policymakers serve the broad social goals. Instead it demonstrates that
government actors frequently reward private actors at the expense of
the public. Over the long term, cronyism undermines the legitimacy of
private sector and government. It also creates moral hazard, the
situation in which an actor increases its exposure to risk because
another party bears the cost of the risk. Taxpayers are too often left
holding the bag. They revolt in elections.
---------------------------------------------------------------------------
\21\ Adam Thierer and Brent Skorup, ``A History of Cronyism and
Capture in the Information Technology Sector | Mercatus Center,''
Journal of Technology Law & Policy, July 2013, https://
www.mercatus.org/publication/history-cronyism-and-capture-information-
technology-sector.
---------------------------------------------------------------------------
For example, leading Silicon Valley firms have waged a campaign to
impose Internet regulation on the telecom industry to avoid
interconnection fees and preclude the development of competitive
business models for content and advertising.\22\ While it may a
rational strategy for Silicon Valley, it is wrong and unfair to employ
political means to secure price controls which undermine the efficient
functioning of Internet markets. This has been harmful in the U.S. as
well as abroad.
---------------------------------------------------------------------------
\22\ ``Net Neutrality,'' Internet Association, accessed July 19,
2018, https://internetasso
ciation.org/positions/net-neutrality/.
---------------------------------------------------------------------------
The imposition of price controls denies infrastructure providers
revenue to build networks (and tax revenue for governments), undermines
the emergence of business models which could support local content
development for socially beneficial goods (particularly in developing
countries), and unduly burdens consumers with the full cost of
networks, a cost that falls disproportionately on the poor. Moreover,
the exercise distracts scarce policymaking resources away from real
problems, which are empirically demonstrated to be the malign acts of
governments to censor people, services, and data.\23\
---------------------------------------------------------------------------
\23\ Freedom House. Freedom on the Net 2017. https://
freedomhouse.org/report/freedom-net/freedom-net-2017
---------------------------------------------------------------------------
Indeed, many Internet related firms and industries have taken
advantage of the regulatory process to win favorable treatment for
themselves at the expense of their competitors and consumers. They now
reap what they have sown in a global ``techlash.'' \24\ Foreign
counterparts have learned from the rent-seeking behavior of Americans
firms, and it has boomeranged. Now foreign governments find ways to
regulate American firms to reward their domestic players.\25\
---------------------------------------------------------------------------
\24\ ``The Techlash against Amazon, Facebook and Google--and What
They Can Do,'' The Economist, January 20, 2018, https://
www.economist.com/briefing/2018/01/20/the-techlash-against-amazon-
facebook-and-google-and-what-they-can-do.
\25\ Roslyn Layton, ``Net Neutrality Will Be Reincarnated as
Platform Regulation,'' AEI, December 20, 2017, http://www.aei.org/
publication/net-neutrality-will-be-reincarnated-as-platform-
regulation/.
---------------------------------------------------------------------------
While the freedom of speech restricts governments ability to censor
and regulate content, it ensures individual sovereignty to do so. As
such, private networks, platforms, and individual users have the
freedom to control the content they deliver and consume. The best way
to address perceived bias on informational platforms is to create
alternatives. Rather than platform regulation, government should
support the market forces that will support competition.\26\ Misguided
FCC Internet and privacy regulation has deterred innovation in
advertising platforms, solidifying a monoculture of business
models.\27\ Moreover price controls disguised as regulation for non-
discrimination have deterred the evolution of a free market for data,
forcing consumers to pay the full cost of broadband and denying them
alternatives to lower cost. Internet penetration is at 76 percent in
the U.S. The only way to close the gap is to allow flexible pricing and
the freedom of different actors to create value propositions for
consumers. I have conducted detailed assessments of the harm to the
poor by regulatory prejudice and restriction on the flexible pricing of
data. The most notable example is India's total ban of differential
pricing which keeps 2 of every 3 people offline.\28\ See a list of
relevant papers below.\29\
---------------------------------------------------------------------------
\26\ Roslyn Layton, ``Net Neutrality Will Be Reincarnated as
Platform Regulation,'' AEI, December 20, 2017, http://www.aei.org/
publication/net-neutrality-will-be-reincarnated-as-platform-
regulation/.
\27\ Roslyn Layton, ``FCC Privacy Regulation Will Limit Competition
in a Market That Really Needs It: Online Advertising,'' AEI, March 11,
2016, http://www.aei.org/publication/fcc-privacy-regulation-will-limit-
competition-market-really-needs-online-advertising/.
\28\ Roslyn Layton, ``Why Does California Want to Adopt India's
Failed Internet Regulation?,'' AEI, July 16, 2018, http://www.aei.org/
publication/why-does-california-want-to-adopt-indias-failed-internet-
regulation/.
\29\ Layton, Roslyn and Elaluf-Calderwood, Silvia, Zero Rating: Do
Hard Rules Protect or Harm Consumers and Competition? Evidence from
Chile, Netherlands and Slovenia (August 15, 2015). Available at SSRN:
https://ssrn.com/abstract=2587542.
Layton, Roslyn and Elaluf-Calderwood, Silvia, Free Basics Research
Paper: Zero Rating, Free Data, and Use Cases in mhealth, Local Content
and Service Development, and ICT4D Policymaking (September 27, 2016).
TPRC 44: The 44th Research Conference on Communication, Information and
Internet Policy 2016. Available at SSRN: https://ssrn.com/
abstract=2757384
Howell, Bronwyn E. and Layton, Roslyn, Evaluating the Consequences
of Zero-Rating: Guidance for Regulators and Adjudicators (August 2016).
TPRC 44: The 44th Research Conference on Communication, Information and
Internet Policy 2016. Available at SSRN: https://ssrn.com/
abstract=2757391.
These papers have been referenced by the European Commission in
their definitive study of zero rating. ``Zero-Rating Practices in
Broadband Markets'' (EU, February 2017), http://ec.europa.eu/
competition/publications/reports/kd0217687enn.pdf.
---------------------------------------------------------------------------
However, if the U.S. can clean up its own cronyism, American
stakeholders will have an easier time to shut it down when facing it
abroad. Sowing the seeds of free market and Constitutional principles
will bear delicious fruit. Voters and policymakers recognize that
modernizing America's regulatory institutions will be the most
important step to maximize the welfare of the American people, its
innovators, and its economy. Removing the incentives for regulatory
arbitrage forces firms to compete on the merits of their goods and
services--serving their customers, not regulators. This approach is the
most fair and rational.
Question 4. Dr. Layton, you mentioned one aspect missing from the
GDPR is education. What would educating the public look like and who is
responsible for it? Federal Government? State and local?
Answer. Thank you for your questions on education. The Federal
Trade Commission has developed extensive and value educational
materials on data privacy and protection.\30\ While many of these
materials and concepts have been developed to protect children, these
best practices are also applicable to adults. This learning should be
broadened and leveraged for Americans of all ages and made available on
the FTC website. It could be explored to make a no free, zero rated
website, e.g., ww.privacy.gov, where any person can learn the skills to
protect oneself online. The FTC can fulfill this task efficiently and
avoid duplication at the state and local government level. The
following further comments are taken from my submission to the Federal
Trade Commission.\31\
---------------------------------------------------------------------------
\30\ https://www.consumer.ftc.gov/topics/privacy-identity-online-
security
\31\ http://www.aei.org/publication/statement-by-roslyn-layton-in-
the-matter-of-competition-and
-consumer-protection-in-the-21st-century-and-market-solutions-for-
online-privacy/
---------------------------------------------------------------------------
The Role of Consumer Education in Promoting Online Privacy.
Consumer education is tacit recognized as important, but it a
fragmented field, frequently disconnected from policy. Canadian home
economist and consumer studies educator Sue McGregor offers an
authoritative academic review of the field of consumer education.\32\
She describes consumer education as a means of protecting consumers as
economic actors and empowering them with the political, ethical, and
moral aspects of consumption (behavior) and consumerism (ideology) and
observes that the concept has been extant for 120 years. A variety of
theories explain the need for consumer education. For example, the
market does not provide enough education, so information needs to be
stimulated. Another view is that consumers demand ``uncensored''
information about the market. Another view posits that education is the
path to consumer activism, so information is promoted by interested
parties. Others define consumer education as a conceptual innovation. A
modern view of consumer education describes it as a function of
decision-making, personal resource management, and citizen
participation in the policy process.
---------------------------------------------------------------------------
\32\ Sue L. T. McGregor, ``Framing Consumer Education Conceptual
Innovations as Consumer Activism,'' International Journal of Consumer
Studies, 2015, http://www.consultmcgregor.com/documents/research/
consumer_activism_published_ijcs.pdf.
---------------------------------------------------------------------------
In recent decades the notion of consumer education has been likened
to human right (1960s), a model of postindustrial economics, people no
longer producing their own goods (1970s), the business paradigm of
consumer as client (1980s), the public-private partnership for consumer
education, indeed a concept promoted in the 1996 Pitofsky report \33\
(1990s), and in the 2000s, consumer education vis-a-vis globalization
and the policy process. Most recently the field has incorporated
complexity theory. Despite this evolution, consumer education remains a
fragmented endeavor with certain areas getting significant attention,
for example financial literacy and smoking cessation, while other
important areas are not discussed. There is also the view of the
politicization of consumer education, for example that centrally
planned disclosure for nutrition information on food satisfies
regulators' expectations but fails to be meaningfully adopted by
consumers.\34\ This suggests that for consumer education to be
meaningful it needs to bottom-up or at least be holistic.
---------------------------------------------------------------------------
\33\ Federal Communication Commission, ``Anticipating the 21
Century: Consumer Protection Policy in the New High-Tech, Global
Marketplace'' May 1996, https://www.ftc.gov/system/files/documents/
reports/anticipating-21st-century-competition-policy-new-high-tech-
global-marketplace/gc_v2.pdf.
\34\ S. Hieke and C. R. Taylor, ``A Critical Review of the
Literature on Nutritional Labeling,'' Journal of Consumer Affairs 46,
no. 1 (2012): 120-56.
---------------------------------------------------------------------------
It is instructive to consider the robust, vibrant market for
information and education in the consumer electronics field detailing
the most minute and technical aspect of machines. For decades consumers
have availed themselves to magazines, online discussions, rankings,
reviews, how-to videos, conferences, and so on. There is no policymaker
directing the discussion, but it grows by consumer demand.
There is no reason why there could not be a similar field for the
consumption of online services, which describes the contours of online
privacy and how users could select different technologies to manage
their privacy. The difference is that consumer electronics education is
essentially funded by advertising, the many providers of phones,
devices, appliances, and so on advertise in popular publications, host
discussions, and so on. Online platforms do not advertise as such. A
valuable policy research project could investigate how to stimulate a
market for consumer education on privacy and some recommendations
follow in this paper.
In any event, without consumer education on privacy it is difficult
to expect all consumers to fully understand what to consent when
agreeing to typical terms of services. The disclosures could be
simplified and updated in more consumer-centric language and format.
Public Choice Explanation for the Lack of Consumer Education on
Privacy. The academic discipline of public choice uses economics to
investigate problems in political science. It could help explain why
consumer education on privacy is lacking, aside from one possible
explanation that consumers are not interested to learn about privacy
and therefore do not demand such information. A public choice
theorization would likely recognize that while the notion of consumer
education has implicit valence, industry and regulators may have
incentives to de-emphasize its role. Indeed, if consumers are empowered
to make informed choices, they have less need of regulators'
supervision. Similarly, consumers making informed choices also affects
industry; it has a powerful effect to drive consumers from one firm to
another.
The European Union's GDPR is suspect in that among 173 provisions
the role and importance of consumer education is never discussed. This
is likely because the regulation is in part a make-work program for
75,000 new privacy officers and the employees of 62 data protection
authorities. The GDPR assumes that regulatory authorities have more
information than consumers and firms and therefore know better how to
order transactions in the marketplace.\35\ All the same, the GDPR
imposes massive new responsibility on regulators without a concurrent
increase in training or funding.\36\ EU data supervisors must wear many
hats, including ``ombudsman, auditor, consultant, educator, policy
adviser, negotiator, and enforcer.'' \37\ Furthermore, the GDPR widens
the gap between the high expectations for data protection and the low
level of skills possessed by data supervisors charged with its
implementation.\38\ There are certainly many talented individuals among
these ranks, but the mastery of information communication technologies
varies considerably among these professionals, especially as each
nation's data protection authority is constituted differently.
---------------------------------------------------------------------------
\35\ See generally F. A. Hayek, ``Economics and Knowledge,'' 1937;
and F.A. Hayek, ``The Use of Knowledge in Society,'' 1945.
\36\ Douglas Busvine, Julia Firoretti, and Mathieu Rosemain,
``European Regulators: We're Not Ready for New Privacy Law,'' Reuters,
May 8, 2018, https://www.reuters.com/article/us-europe-privacy-
analysis/european-regulators-were-not-ready-for-new-privacy-law-
idUSKBN1I915X.
\37\ Colin J. Bennett and Charles Raab, ``The Governance of
Privacy: Policy Instruments in Global Perspective,'' 2006.
\38\ Charles D. Raab and Ivan Szekely, ``Data Protection
Authorities and Information Technology,'' Computer Law and Security
Review (forthcoming), https://ssrn.com/abstract=2994898.
---------------------------------------------------------------------------
Public choice theory also suggests that the EU data supervisors'
preferences are not necessarily aligned with the ``public interest,''
or what is best for European welfare in the long run. Increasing user
knowledge and the quality of data protection technology could
legitimately make people better off, but it could also render
regulators less important. While data supervisors will not necessarily
reject policies that improve user knowledge and technology design, it
is in their interest to promote inputs that increase their own
resources and legitimacy in conducting compliance and adjudication.\39\
---------------------------------------------------------------------------
\39\ Roslyn Layton, ``How the GDPR Compares to Best Practices for
Privacy, Accountability, and Trust,'' March 31, 2018, 14, https://
papers.ssrn.com/sol3/papers.cfm?abstract_id=2944358.
---------------------------------------------------------------------------
Many surveys demonstrate that many users fail to practice basic
privacy-enhancing behaviors.\40\ This situation is ripe for improvement
and represents a classic example of how consumer education can improve
outcomes better, more quickly, and at a lower cost than regulation.
Indeed, the first principle of consumer education in data protection,
buyer beware, is the first principle for how citizens should protect
themselves in cyberthreats in Michael Chertoff's new book on
cybersecurity: ``Be mindful of what data you transmit and what you
connect to your own network.'' \41\ He also recommends practicing cyber
hygiene, taking advantage of layered cybersecurity technology, and
outsmarting scams with a phone call. Consumers need to practice the
same kind of vigilance and personal responsibility in cybersecurity as
they do in the data protection domain. Outsourcing the job to
bureaucrats will not cut it, as the user can be a vulnerability point.
Consider warnings and labels on food and chemicals; while regulation
can mandate that disclosures be made, if users do not recognize the
meaning of expiration dates or consumption warnings, then the
disclosure has little impact.
---------------------------------------------------------------------------
\40\ Layton, ``How the GDPR Compares to Best Practices for Privacy,
Accountability, and Trust.''
\41\ Michael Chertoff, ``Exploding Data: Reclaiming Our Cyber
Security in the Digital Age,'' Atlantic Monthly Press, 2018.
---------------------------------------------------------------------------
As such, the GDPR rests on a fallacy that making consent more
explicit makes consumers more informed. The GDPR requires enterprises
to make consent ever more detailed, burdensome, and granular without
increasing the user's holistic knowledge of the transaction. This
creates an increasing chasm between consumer empowerment and
bureaucratic control. It is like speaking more loudly to a person who
speaks another language in the hope that she will better understand.
When producers and consumers do not have perfect information, this
discrepancy can give rise to inefficiency or abuse. Peer-to-peer
platforms have resolved many of these problems of informational
asymmetry through information sharing. Consider how the ability to
evaluate drivers and riders is an essential part of ridesharing apps.
Before Uber, neither the taxi company nor the regulator was interested
to publish real-time information about the quality of drivers or cars,
as it would like to impugn the failure of regulator. Ratings and peer
reviews are essential in the digital economy. Indeed, some health
regulators use Yelp ratings to help inform how they deploy their
inspection resources.\42\
---------------------------------------------------------------------------
\42\ Roslyn Layton, ``How Sharing Economy Regulatory Models Could
Resolve the Need for Title II Net Neutrality,'' AEI, June 26, 2017,
http://www.aei.org/publication/sharing-economy-regulatory-models-
resolve-need-title-ii-net-neutrality/; And Arun Sundararajan, The
Sharing Economy: The End of Employment and the Rise of Crowd-Based
Capitalism (MIT Press, 2016)
---------------------------------------------------------------------------
Consumer education could be vital to demystify the ``black box'' of
many Internet platforms, which for many consumers is a system in which
they can observe the inputs and outputs but have little to no insight
to its internal workings.
Tapping the FTC's Consumer Education Resources. The FTC already has
significant educational resources to help consumers protect themselves
online in the privacy, identity and online security sections of its
website.\43\ It would be worthwhile to see how this information could
be shared, syndicated, and amplified, for example through social media
by users themselves. Even if no further policy was enacted at all,
people could read the FTC section on protecting kids online and learn
many things about being more responsible and protecting one's privacy.
Essentially, the very restraint that parents are to apply to children,
they should apply to themselves.
---------------------------------------------------------------------------
\43\ Federal Trade Commission, ``Privacy, Identity & Online
Security,'' https://www.con
sumer.ftc.gov/topics/privacy-identity-online-security
---------------------------------------------------------------------------
Moreover, there is nothing is to stop any privacy advocacy
organization, philanthropic charity, school, trade association, or
company from presenting a similar list or linking to the FTC's
information. They do not have to ask permission; they do not need to
wait for legislation. Information can be made available to consumers
today.
The section on limiting unwanted calls and e-mails is quite
detailed noting privacy choices for your personal financial
information; stopping unsolicited mail, phone calls, and e-mail;
blocking unwanted calls; robocalls; they do not call registry; phone
scams, telemarketing rules; and reducing spam on e-mail and SMS. These
include common sense tips such as using e-mail filters, limiting
exposure of one's e-mail address, changing privacy settings, choosing
unique e-mail address, detecting and removing malware, and reporting
spam.
The section on protecting kids online delves into cyberbullying,
how parents can talk with kids, and basic security such as peer-to-peer
file sharing, phishing, and downloading apps. Indeed, these pointers
could easily be extended to adults. Some of these settings could be
defaults for first-time adult users until they become more familiar.
There are privacy-enhanced devices apps for children, so there is no
reason why they cannot be designed for adults. Features include
programmable limitation on services, emergency buttons, time management
controls, filtering software applied to ensure that users do not share
personal information or content. Just as parents develop rules for
their kids, they should live by their own rules, limiting their use at
family times, in the evening, etc. But they can also be more diligent
about their behavior. Adults should be cautious in what they post,
whether text, picture, or video. They should use ``good judgment.''
The OECD's International Cooperation on Consumer Education for
Online Privacy. More than a decade ago various private and public
organizations have outlined the role of consumer education in online
privacy, but this thinking and educational assets have not been
meaningfully incorporated into policy. Notably, the Organisation for
Economic Co-operation and Development (OECD) published a study on
Consumer Education for Digital Competence.\44\ Key learning points
include:
---------------------------------------------------------------------------
\44\ Organisation for Economic Co-operation and Development,
``Consumer Education Policy Recommendations of the OECD'S Committee on
Consumer Policy,'' 2009, http://www.oecd.org/sti/consumer/44110333.pdf.
Linking the concept of digital competence with critical
---------------------------------------------------------------------------
thinking on technology and the media,
Educating to provide a basis for developing an understanding
of the structures and conceptual relationships understanding
digital media (e.g., functioning of online market, e-commerce
marketing techniques, and user tools),
Learning the how and why of protecting personal information
when using digital media,
Using media to promote the education of digital competence
in compelling ways (e.g., games, videos, blogs, and virtual
worlds),
Age-appropriate education,
Implementing teacher training, and
Strengthening multi-stakeholder cooperation to create
educational partnerships.
The OECD also published a book to describe prevailing consumer
education practices across the member nations, including the
institutional frameworks and policy evaluation tools.\45\
---------------------------------------------------------------------------
\45\ Organisation for Economic Co-operation and Development,
``Promoting Consumer Education: Trends, Policies and Good Practices--
OECD,'' March 2009, http://www.oecd.org/sti/consumer/
promotingconsumereducationtrendspoliciesandgoodpractices.htm#howto.
---------------------------------------------------------------------------
Institute for Privacy Protection at Seton Hall University. Gaia
Bernstein, director of the Institute for Privacy Protection and
codirector of the Gibbons Institute of Law Science and Technology at
Seton Hall University observes, ``We can take action to regain control
of our time, attention and social interactions.'' \46\ The center
offers training for teachers and other leaders about how to empower
users to manage their privacy. The core curriculum is based on the
concept of explaining the concept of privacy, digital footprints and
reputation, ads and content choice, and online versus offline
balance.\47\
---------------------------------------------------------------------------
\46\ Gaia Bernstein, ``About the Over-Users,'' accessed August 20,
2018, http://gaiabern
stein.com/.
\47\ Seton Hall, ``Institute for Privacy Protection's School
Outreach Program,'' https://law.shu
.edu/about/news.cfm?customel_datapageid_6255=537438.
---------------------------------------------------------------------------
Teaching Privacy Curriculum. For example, in the US, the ``Teaching
Privacy Curriculum'' by Serge Egelman et al., offers interactive
instruction on 10 principles of online privacy over three weeks in a
university setting, a method that has also proved effective to educate
and empower users to manage their privacy.\48\
---------------------------------------------------------------------------
\48\ Serge Egelman et al., ``The Teaching Privacy Curriculum,''
2016, 591-96.
---------------------------------------------------------------------------
______
Response to Written Questions Submitted by Hon. Maggie Hassan to
Denise E. Zheng
Question 1. We have heard a lot about Europe's new data privacy
protections, known as the GDPR. I would like to understand better what
their actual impact has been in the United States, and how much
companies are differentiating their practices for European consumers
vs. American consumers.
For example, during his testimony in the spring, Mark Zuckerberg
promised that Facebook would apply the same standards to users in
Europe and America. But it now appears that Facebook is requiring
consent from European users for some of its policy changes while merely
notifying American users--and may be treating users in other places
like Asia differently altogether.
From your perspective working with companies, are they now handling
European users differently than American users, or are companies
applying the same standards and practices worldwide? Why should we seek
to harmonize our laws across countries, if it's easy for companies to
treat users differently in different places?
Answer. Companies face a growing number of privacy and other data
protection requirements at the state, federal, and global level. As a
result, it can be difficult for businesses to apply the same privacy
practices worldwide due to competing and sometimes conflicting
regulatory requirements.
The privacy and security of consumer data is a top priority for
Business Roundtable companies regardless of where their consumers are
located. In some cases, companies may apply the same practices and
standards worldwide, while in other instances, adopting the same
practices everywhere may make it unfeasible to comply with local
requirements and enforcement regimes.
Harmonization of existing privacy and other data protection
requirements is necessary to avoid a globally fragmented regulatory
environment. The global patchwork of requirements is cumbersome and
costly for large companies and even more difficult for small businesses
and startups to navigate. The legal uncertainty that results from the
lack of harmonization undermines investment, growth, and job creation.c
Question 2. Earlier this spring, attorney Craig Newman proposed the
idea of publicly grading companies' data privacy and cybersecurity
efforts on a simple A through F scale, similar to the way we do with
health inspections for restaurants in some places. The goal would be to
create incentives for companies to implement best practices in order to
receive better grades and help them retain and attract customers.
There are some issues we would need to work through in implementing
something like this, but I think it is an idea worth exploring further,
which I am currently doing with Mr. Newman and others.
Do you have further thoughts on this kind of proposal?
Answer. Business Roundtable has not yet evaluated this proposal,
but we stand ready to assist the Committee as it evaluates this and
other proposals.
______
Response to Written Questions Submitted by Hon. Catherine Cortez Masto
to Denise E. Zheng
Question 1. There are nearly a quarter of a million small
businesses in Nevada. They're working to try to navigate the
increasingly complex cyber world and I hear a lot from them about
cybersecurity and other Internet issues.
Can you talk about GDPR, as well as other international
regulations, and how we can ensure that small businesses have the tools
to navigate these as well as rules that are being put in place at the
state level?
Answer. Many small- and medium-sized companies have very limited
resources and in-house expertise to navigate the increasingly complex
regulatory landscape for privacy and security.
Governments at the state, federal, and international levels should
provide assistance, training, and tools for small- and medium-sized
businesses to strengthen their efforts to improve their own data
security and privacy practices. Governments should also consider
whether their outreach and relationships effectively reach small- and
medium-sized businesses and make efforts to ensure that they consider
the interests of all companies.
In cases where greater government engagement is needed, governments
should provide small businesses with practical and tailored risk
management frameworks, guidance, and other tools to ensure businesses
of all sizes have the resources to safeguard their own data and
technology infrastructure, protect consumer data, and comply with
regulatory requirements.
Question 2. Countries and increasingly imposing data localization
requirements, which require companies that collect personal data to
store it on servers within the geographic boundaries of the country, as
a requirement for companies to do business there.
Are there logistically feasible ways for American entities to
process data internationally with the data localization polices that
were discussed at the hearing?
Answer. Data localization requirements can impose prohibitively
costly workarounds on American companies processing data
internationally. When laws require data to be stored and processed
within the borders of one country, companies may attempt to comply by
replicating, at a great cost, centralized systems, connectivity,
software, and supporting data. A company that hosts back-office
services at two centralized data centers (one primary, one backup for
resiliency and disaster recovery) could see operating costs multiply if
forced to create regional data centers.
Furthermore, U.S. companies that develop content for global
distribution or share services on a global scale may be required to
duplicate business efforts. For example, a company that develops online
content for one online platform may be required to redesign and
redeploy that content in countries that censor those platforms.
Finally, localization measures weaken the resilience of global
business and critical infrastructure. As noted, a geographically
diverse network architecture provides businesses with added resiliency.
If there are physical outages or cyber-attacks at one data center, a
robust global network enables other data centers to pick up the work.
The same geographic diversity enables 24/7 threat monitoring and
mitigation through a follow-the-sun approach to cybersecurity
operations.
Question 3. How does this impact academia or the private sector?
Answer. The growth of data localization restrictions across the
globe is causing key challenges for U.S. companies across all sectors
of the economy including:
Threatens Interoperability. Data localization requirements
threaten a free and open Internet by putting unnecessary
restrictions on the free-flow of data. It is a form of digital
protectionism that fragments the internet, undermines global
interoperability, and could result in delays and unevenness in
the deployment of the new internet-enabled technologies.
Compliance Costs. Data localization requirements impose
significant costs associated with legal and regulatory
compliance. Restrictions are complex and nuanced, requiring
interpretation and causing legal uncertainty. Such requirements
can raise the cost of hosting data by 30 to 60 percent for
companies that are covered by such requirements.\1\ One study
estimated that enacted or proposed data localization mandates
in China could cost up to 1.1 percent of its GDP and the cost
of data localization requirements in the EU could cost nearly
0.4 percent of its GDP.\2\ Localization can also limit the
effectiveness of regulatory compliance by preventing the timely
transfer of data to inform regulatory requests and reporting,
such as those with respect to anti-money laundering
requirements under the Bank Secrecy Act.
---------------------------------------------------------------------------
\1\ Leviathan Security Group (2015). Quantifying the Cost of Forced
Localization. Retrieved from https://static1.squarespace.com/static/
556340ece4b0869396f21099/t/559dad76e4b0899d9
7726a8b/1436396918%20881/
Quantifying+the+Cost+of+Forced+Localization.pdf
\2\ European Centre for International Political Economy (2016
March). Unleashing Internal Data Flows in the EU: An Economic
Assessment of Data Localization Measures in the EU Member States.
Retrieved from http://ecipe.org/app/uploads/2016/12/Unleashing-
Internal-Data-Flows-in-the-EU.pdf
Redundant Investments. Companies may be required to make
redundant capital investments by building data servers in
various global locations to meet local data storage laws.
Building multiple data centers in every country where a company
delivers products or services may not be feasible. In the event
of a disaster, recovery of services could be significantly
delayed or impossible without offshore data backup and
---------------------------------------------------------------------------
processing.
Workforce Challenges. Local data storage mandates can cause
companies to fragment centralized workforce information. When
companies are unable to consolidate HR information at a global
enterprise level, it impacts their ability to create best
practices and assess talent across locations. Furthermore, the
isolation of data can create skill gaps that force companies to
relocate or rehire employees to access specific sets of data
rather than moving the data to employees with specific skills.
Non-tariff barriers to trade. Localization requirements
limit digital and physical trade across borders by placing
restrictions on the movement of digital goods and information
necessary to support commercial activity. Countries that are
committed to increased economic growth, expanded trade, and
sustainable digital development should not adopt localization
measures.
Question 4. With the various data localization laws taking effect,
can you discuss whether those typically explicitly forbid data transfer
over national borders or would they allow a country, Germany for
example, to host data on German made servers in a neighboring country?
Additionally, if a U.S. company, for example, was expected to store
data on a data center in a country like China, would it be mandated to
use Chinese materials or technology in the construction of the data
center? Please answer generally with respect to the multitude of data
localization laws.
Answer. Data localization requirements can take a variety of forms.
Such measures ``differ from country to country in terms of industry
coverage, geography, types of data covered, complexity, [and] data
intensity.'' \3\ Stricter measures usually require that specified types
of data collected in a particular country be stored and processed in
that country's borders. Other rules may require certain conditions to
be met for data to leave the implementing country, effectively banning
the transfer of data offshore. Some rules also place requirements on
the types of technology used.
---------------------------------------------------------------------------
\3\ International Trade Commission (2017 August). Global Digital
Trade 1: Market Opportunities and Key Foreign Trade Restrictions.
Retrieved from https://www.usitc.gov/publications/332/pub4716_0.pdf
---------------------------------------------------------------------------
For example, China has adopted strict data localization laws.
China's Cybersecurity Law that went into effect in June 2017 requires
all ``important information'' and ``personal information'' to be stored
in China. Under this regime, ``network operators'' are prohibited from
transferring covered data outside of China without undergoing a
government-mandated security assessment. As currently defined, the law
could cover any entity that owns or operates a computer network and
applies to a vast and ambiguous assortment of different types of data.
In addition, China has localization measures applying specifically to
telecommunications. China's Telecommunications Regulation of 2000
requires all data collected inside China to be stored on Chinese
servers.
Russia's data localization law provides another example of a strict
regime. Federal Law No. 242-FZ requires all data operators, both
domestic and foreign, to store the personal information of Russian
citizens on servers physically located within Russian borders.
China and Russia are not the only countries with data localization
requirements. India, Nigeria, Indonesia, Malaysia, Vietnam, and South
Korea all have enacted laws that prohibit the transfer of a range of
business and consumer data outside of their respective jurisdictions.
Question 5. The EU-U.S. Privacy Shield is a program that allows
companies to transfer personal data to the United States from the
European Union (EU) in a way that is consistent with EU law. However,
the European Parliament passed a non-binding resolution in July
claiming the United States was not complying with European law and
called on the European Commission to suspend Privacy Shield by
September 1 ``unless the U.S. is fully compliant.''
What would the impact to U.S. businesses be if the EU Commission
suspends Privacy Shield?
Answer. The EU-U.S. Privacy Shield Framework is an important legal
tool that facilitates global digital commerce by providing U.S.
companies with a mechanism to comply with EU data protection
requirements when transferring personal data from Europe to the US.
More than 3,000 organizations have self-certified they comply with the
Framework since it was established, including a significant number of
Business Roundtable companies.
Cross border data flows are the foundation of today's
interconnected economy and critical to billions of dollars in trade
between the U.S. and European countries. Data flows between the U.S.
and Europe are the highest in the world and are 50 percent larger than
data flows between the U.S. and Asia.\4\ In addition, the EU and U.S.
are the top markets for each other for digital goods and services.
---------------------------------------------------------------------------
\4\ Brookings Institution (2014 October). The Importance of The
Internet and Transatlantic Data Flows for U.S. and EU Trade and
Investment. Retrieved from https://www.brookings.edu/wp-content/
uploads/2016/06/internet-transatlantic-data-flows-version-2.pdf
---------------------------------------------------------------------------
Suspension of the Privacy Shield Framework would bring the legal
transfer of EU resident data to a halt for organizations reliant on the
Framework, along with the trade that depends upon those data flows.
Companies would have to undergo burdensome processes to establish
alternative transfer mechanisms such as binding corporate rules or
standard contractual clauses, which can be expensive and disruptive to
business activities dependent on the information.
______
Response to Written Questions Submitted by Hon. Jon Tester to
Denise E. Zheng
Question 1. Many members of the panel mentioned the United States
needs to step up our level of engagement and join other like-minded
countries. In your opinion, which countries closest align with our
values on Internet freedom, privacy, and Internet of Things?
Answer. Internet freedom, privacy, and Internet of Things are
related policy issues, but also very different. The best countries to
engage with may vary based on the issue at hand.
Maintaining a multi-stakeholder approach to Internet governance,
which includes governments, businesses, academia, and civil society, is
critical to preserving a free and open Internet that enables economic
growth and opportunity around the world. The U.S. must work other like-
minded countries to strengthen multi-stakeholder institutions, promote
principles of Internet freedom in countries with nascent Internet
policies, and counter efforts by repressive countries attempting to
rewrite the rules of the Internet in ways that are fundamentally at
odds with open markets and democratic values.
American companies and the U.S. Government should continue working
closely with the EU and countries in Asia, including Japan and South
Korea, to establish interoperable privacy frameworks that protect
consumers and promote continued growth and innovation.
Question 2. What forum (e.g., the United Nations, NATO, etc.) do
you recommend for facilitating an international discussion on rules and
definitions?
Answer. Norms, best practices, and standards for digital economy
issues should be developed in multi-stakeholder forums where
government, industry, and civil society have a seat at the table. The
U.S. Government should seek to strengthen ties with allies and
demonstrate leadership in forums where countries are promoting
regulatory regimes that disadvantage American companies and run counter
to American values of an open and secure cyberspace. The appropriate
forum for international discussion depends on the issue. Examples of
possible forums to discuss cross-border data flow, cybersecurity, and
privacy issues include:
Cross-Border Data Flows. The U.S. Government should use
trade agreement discussions to minimize barriers to
international trade, including restrictions on the free flow of
data across borders.
Cybersecurity. The U.S. Government should actively engage in
discussions with ``Five Eyes'' nations to discuss how to
enhance collaboration to address common security challenges in
cyberspace. In addition, the U.S. Government should promote the
alignment of cybersecurity regulations and frameworks in
ongoing and upcoming trade negotiations to reduce regulatory
fragmentation.
Privacy. Congress and the Administration should work with
industry and other privacy stakeholders to develop a framework
for national consumer privacy legislation, and create a
strategy to engage with the EU and countries in Asia that
promote interoperability with GDPR and other international
policy frameworks. The U.S. public and private sectors should
also be fully engaged in upcoming APEC Cross-Border Privacy
Rules discussions and OECD privacy efforts.
Question 3. Before the United States can lead the charge
international, we must unify our own ``rules of the road.'' Does such a
forum currently exist, to your knowledge? How has private industry in
the U.S. tried to tackle how we define the rules of the road when it
comes to Internet security and governance? Which U.S. governmental
agency would you recommend take the lead and represent the United
States in international discussions?
Answer. U.S. companies have been working closely with the U.S.
Government, foreign nations, and other regional and international
bodies to participate in efforts to the define the ``rules of the
road'' for Internet security and governance that enables growth and
innovation while safeguarding security and privacy.
American companies are committed to building long-standing and
trusted partnerships with the government to create policy solutions
that provide the public and private sectors with the tools needed to
manage sophisticated cybersecurity threats to critical infrastructure.
A key example of how government and industry have partnered to
strengthen cybersecurity for all sectors of the economy and the
government is the creation of the National Institute of Standards and
Technology (NIST) Cybersecurity Framework. The Cybersecurity Framework
is a voluntary industry-led risk management approach based on best
practices and guidelines to reduce cyber risk.
The U.S. Government should promote the Cybersecurity Framework with
other countries and international standards bodies. The adoption of
interoperable cybersecurity standards across jurisdictions promotes
innovation and helps multinational businesses more effectively manage
risks. NIST should encourage foreign governments and international
standards organizations, such as the International Standards
Organization (ISO) and International Electrotechnical Commission (IEC),
to leverage the Framework in a manner that enables harmonization and
complementary standards, guidelines, and best practices. In addition,
the U.S. Trade Representative should promote the use of voluntary cyber
risk management frameworks and advance prohibitions on localization
measures in all future trade agreements.
______
Response to Written Questions Submitted by Hon. Maggie Hassan to
Christopher M.E. Painter
Question 1. We have heard a lot about Europe's new data privacy
protections, known as the GDPR. I'd like to understand better what
their actual impact has been in the United States, and how much
companies are differentiating their practices for European consumers
vs. American consumers.
For example, during his testimony in the spring, Mark Zuckerberg
promised that Facebook would apply the same standards to users in
Europe and America. But it now appears that Facebook is requiring
consent from European users for some of its policy changes while merely
notifying American users--and may be treating users in other places
like Asia differently altogether.
Mr. Painter, should it be a concern if companies like Facebook are
differentiating in this way? Why should we seek to harmonize our laws
across countries, if it's easy for companies to treat users differently
in different places?
Answer. I have not conducted any research on the extent that
companies are differentiating between U.S. and other customers.
However, though the GDPR does have some effects outside the European
Union, it is primarily aimed at protecting EU citizens and their data.
U.S. and European data protection standards have always been
different--though the goal is for them to be interoperable. Though for
administrative and other reasons it should be expected that some
companies will apply the same standards globally, in the absence of
U.S. rules there is no legal requirement to do so. Accordingly, in
order to achieve the kind of harmonization you raise, the U.S. would
need to have similar practices. As I said in my testimony, if the U.S.
wants to set the global standard, it is important for the U.S. to have
its own consumer data privacy regime, drawing from the Privacy Bill of
Rights released during the last administration.
Question 2. Earlier this spring, attorney Craig Newman proposed the
idea of publicly grading companies' data privacy and cybersecurity
efforts on a simple A through F scale, similar to the way we do with
health inspections for restaurants in some places. The goal would be to
create incentives for companies to implement best practices in order to
receive better grades and help them retain and attract customers.
There are some issues we would need to work through in implementing
something like this, but I think it is an idea worth exploring further,
which I am currently doing with Mr. Newman and others.
Could you elaborate on this idea in the context of international
companies--whether and how we could implement and idea like this
globally, and what challenges we might face?
Answer. This is an interesting idea and deserves further study. As
you note there are a number of challenges to implementing such a regime
either domestically or internationally. These include what the criteria
would be for such designations, who would determine whether a
particular entity deserved a particular rating, how would those
decisions be reviewed, how would such designations differ based on the
criticality of the end use, whether the simple grade designations
really convey useful information to the end user, etc. The complexity
is magnified if the scheme is meant to be used internationally as other
countries, civil society and the private sector in those countries
would have to buy in to that scheme and the ``grade'' should not be
used as a way to control market access. The EU is currently working on
cybersecurity legislation that would create a voluntary certification
regime for cybersecurity and network products. In the course of that
legislative process a number of considerations came to light and have
ben incorporated or are being weighed. Among these considerations is
that such a scheme should be based on a risk management approach; that
there is no one size fits all and any certification criteria should be
developed collaboratively with relevant industry players and that such
a scheme should be largely voluntary.
______
Response to Written Questions Submitted by Hon. Catherine Cortez Masto
to Christopher M.E. Painter
Question 1. There are nearly a quarter of a million small
businesses in Nevada. They're working to try to navigate the
increasingly complex cyber world and I hear a lot from them about
cybersecurity and other Internet issues.
Can you talk about GDPR, as well as other international
regulations, and how we can ensure that small businesses have the tools
to navigate these as well as rules that are being put in place at the
state level?
Answer. Given the complexities of the GDPR and the growing and
sometimes conflicting cybersecurity regulations around the world it is
often difficult for small businesses to take into account and implement
varying requirements. This, of course, is heightened if they do
business globally. The same is true in the physical world but given
that many small businesses have an online presence they may be subject
to certain requirements, like GDPR, particularly if they are processing
data from overseas. There is no easy answer to this, but, for example,
as GDPR is being implemented there are a number of resources that are
being created to help navigate its requirements. Nevertheless, this
will likely require small businesses to devote scarce resources to
compliance.
Question 2. Countries and increasingly imposing data localization
requirements, which require companies that collect personal data to
store it on servers within the geographic boundaries of the country, as
a requirement for companies to do business there.
Are there logistically feasible ways for American entities to
process data internationally with the data localization polices that
were discussed at the hearing?
Answer. Some larger companies have been able to deal with at least
some of these requirements by building or operating data centers
overseas but this approach, even for large and well resourced entities,
is not scalable or sustainable if many more countries demand this. This
is also an issue for small and start-up businesses who don't have the
resources to operate several data centers around the globe. Moreover,
with respect to repressive countries, data localization requirements
are often used as a proxy to allow greater monitoring and control of
their citizens and that raises significant human rights issues.
Question 3. How does this impact academia or the private sector?
Answer. As noted above, any entity that is required to comply with
data localization demands will need to devote significant resources to
comply and this is not scalable in the long term.
Also, as noted above, there may be significant human rights
concerns.
Question 4. With the various data localization laws taking effect,
can you discuss whether those typically explicitly forbid data transfer
over national borders or would they allow a country, Germany for
example, to host data on German made servers in a neighboring country?
Answer. I have not studied this issue but it would very much depend
on the laws and regulations of the country or geo-political entity in
question.
Question 5. Additionally, if a U.S. company, for example, was
expected to store data on a data center in a country like China, would
it be mandated to use Chinese materials or technology in the
construction of the data center? Please answer generally with respect
to the multitude of data localization laws.
Answer. Again, I have not studied this issue but such requirements,
if they exist, would not necessarily be part of the data localization
law itself. China, for example, has used a number of methods more
generally to require, among other things, joint ventures with Chinese
companies for certain businesses wishing to operate in China and has
used its cybersecurity law to mandate or exclude various products.
Question 6. The EU-U.S. Privacy Shield is a program that allows
companies to transfer personal data to the United States from the
European Union (EU) in a way that is consistent with EU law. However,
the European Parliament passed a non-binding resolution in July
claiming the United States was not complying with European law and
called on the European Commission to suspend Privacy Shield by
September 1 ``unless the U.S. is fully compliant.'' What would the
impact to U.S. businesses be if the EU Commission suspends Privacy
Shield?
Answer. The U.S. and EU methods for dealing with data protection
and privacy differ and so the goal has always been to assure basic
interoperability. The Privacy Shield has been a vital means to both
assuring European entities of basic privacy protections and ensuring
that both U.S. and European businesses and other entities can transfer
necessary data and conduct business and other interactions. If the
Privacy Shield is suspended, it will have a major negative effect on
businesses and individuals on both side Atlantic.
______
Response to Written Questions Submitted by Hon. Jon Tester to
Christopher M.E. Painter
Question 1. Many members of the panel mentioned the United States
needs to step up our level of engagement and join other like-minded
countries. In your opinion, which countries closest align with our
values on Internet freedom, privacy, and Internet of Things?
Answer. Most of our traditional allies and partners, including
European, Five-Eye, G7 countries and others are closely aligned with
our views (though I will not list all of them here for fear of leaving
some out). While it is important we continue to strengthen our ties
with our traditional partners, it is also important that we work with
them to expand the like-minded tent through capacity building and
International engagement.
Question 2. What forum (e.g., the United Nations, NATO, etc.) do
you recommend for facilitating an international discussion on rules and
definitions?
Answer. There is no ``one ring to rule them all'' forum but rather
we need to work with our partners is advancing these issues in a
variety of both international and regional forums. These include the UN
(like our engagement in the Group of Governmental Experts), NATO (that
has made great strides in incorporating cyber issues into its core
policies in the last 10 years), the OAS, the OSCE, ASEAN, the G7. It
also includes informal organizations like the Coalition for Freedom
Online and a host of public/private and multi-stakeholder forums. For
example, I currently serve as a Commissioner on the Commission for the
Global Stability of Cyberspace, a multi-stakeholder group that is
trying to suggest and advance stability measures and a framework in
cyberspace, and I chair a working group for the Global Forum for Cyber
Expertise that works with governments, the private sector, and civil
society to advance cyber capacity building efforts.
As cyber issues--including human rights, Internet governance,
cybersecurity, cybercrime, and international security and conflict
issues--become ever more prominent, nearly every global and regional
forum are brining to consider them. Some forums are more tailored to
specific issues than others but there is an urgent need to engage as
many of these forums are considering issues or making decisions that
could have a profound impact on the future of cyberspace.
Question 3. Before the United States can lead the charge
international, we must unify our own ``rules of the road.'' Does such a
forum currently exist, to your knowledge? How has private industry in
the U.S. tried to tackle how we define the rules of the road when it
comes to Internet security and governance? Which U.S. governmental
agency would you recommend take the lead and represent the United
States in international discussions?
Answer. Given the breadth and scope of cyber issues U.S.
coordination is paramount if we are to continue to lead the global
discussion in this area. Although there is no single domestic forum
where all these issues come together, their has, in the past, been
strong coordination between Federal agencies and robust outreach to the
private sector and civil society. Various agencies have taken the lead
on different aspects of cyber policy and in taking practical measures
to thwart cyber threats including DHS, DOJ, DOD, State, Commerce and
others. Overall international engagement on policy issues has been led
by State (and that should continue) though other agencies have worked
closely with international counterparts on their mission sets. In my
former role, I led interagency delegations in a number of engagements
that sought to present a whole-of-government approach. That said, given
the importance of the international issues being raised and the need to
build coalitions to respond to shared threats, I am concerned that we
are not currently well structured to achieve these goals. My former
office in the State Department, the first of its kind anywhere in the
world and now emulated by over 25 countries, has now been demoted for
over a year sending an unfortunate message to both our friends and our
adversaries that we do not prioritize these issues. Moreover, the Cyber
Coordinator at the National Security Council has been abolished. That
role helped coordinate all the interagency efforts (including helping
to resolve potential conflicts) and also served to up our game and
profile on the international stage. Though structure isn't everything,
and a lot of folks throughout the interagency continue to do good and
important work, these changes again signal, intentionally or not, a
lowering of priority when we are at a time when, if anything, the
priority and profile of these issues should be raised.
[all]