[Senate Hearing 115-803]
[From the U.S. Government Publishing Office]


                                                        S. Hrg. 115-803

                        THE INTERNET AND DIGITAL
                  COMMUNICATIONS: EXAMINING THE IMPACT
                     OF GLOBAL INTERNET GOVERNANCE

=======================================================================

                                HEARING

                               BEFORE THE

                         SUBCOMMITTEE ON COMMUNICATIONS, 
                      TECHNOLOGY, INNOVATION, AND THE INTERNET

                                 OF THE

                         COMMITTEE ON COMMERCE,
                      SCIENCE, AND TRANSPORTATION
                          UNITED STATES SENATE

                     ONE HUNDRED FIFTEENTH CONGRESS

                             SECOND SESSION

                               __________

                             JULY 31, 2018

                               __________

    Printed for the use of the Committee on Commerce, Science, and 
                             Transportation
                             
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]                             


                Available online: http://www.govinfo.gov
                
                              __________

                   U.S. GOVERNMENT PUBLISHING OFFICE                    
55-218 PDF                  WASHINGTON : 2024                    
          
-----------------------------------------------------------------------------------                 
               
       SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION

                     ONE HUNDRED FIFTEENTH CONGRESS

                             SECOND SESSION

                   JOHN THUNE, South Dakota, Chairman
ROGER F. WICKER, Mississippi         BILL NELSON, Florida, Ranking
ROY BLUNT, Missouri                  MARIA CANTWELL, Washington
TED CRUZ, Texas                      AMY KLOBUCHAR, Minnesota
DEB FISCHER, Nebraska                RICHARD BLUMENTHAL, Connecticut
JERRY MORAN, Kansas                  BRIAN SCHATZ, Hawaii
DAN SULLIVAN, Alaska                 EDWARD MARKEY, Massachusetts
DEAN HELLER, Nevada                  TOM UDALL, New Mexico
JAMES INHOFE, Oklahoma               GARY PETERS, Michigan
MIKE LEE, Utah                       TAMMY BALDWIN, Wisconsin
RON JOHNSON, Wisconsin               TAMMY DUCKWORTH, Illinois
SHELLEY MOORE CAPITO, West Virginia  MAGGIE HASSAN, New Hampshire
CORY GARDNER, Colorado               CATHERINE CORTEZ MASTO, Nevada
TODD YOUNG, Indiana                  JON TESTER, Montana
                       Nick Rossi, Staff Director
                 Adrian Arnakis, Deputy Staff Director
                    Jason Van Beek, General Counsel
                 Kim Lipsky, Democratic Staff Director
              Chris Day, Democratic Deputy Staff Director
                      Renae Black, Senior Counsel
                                 ------                                

    SUBCOMMITTEE ON COMMUNICATIONS, TECHNOLOGY, INNOVATION, AND THE 
                                INTERNET

ROGER F. WICKER, Mississippi,        BRIAN SCHATZ, Hawaii, Ranking
    Chairman                         MARIA CANTWELL, Washington
ROY BLUNT, Missouri                  AMY KLOBUCHAR, Minnesota
TED CRUZ, Texas                      RICHARD BLUMENTHAL, Connecticut
DEB FISCHER, Nebraska                EDWARD MARKEY, Massachusetts
JERRY MORAN, Kansas                  TOM UDALL, New Mexico
DAN SULLIVAN, Alaska                 GARY PETERS, Michigan
DEAN HELLER, Nevada                  TAMMY BALDWIN, Wisconsin
JAMES INHOFE, Oklahoma               TAMMY DUCKWORTH, Illinois
MIKE LEE, Utah                       MAGGIE HASSAN, New Hampshire
RON JOHNSON, Wisconsin               CATHERINE CORTEZ MASTO, Nevada
SHELLEY MOORE CAPITO, West Virginia  JON TESTER, Montana
CORY GARDNER, Colorado
TODD YOUNG, Indiana
                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on July 31, 2018....................................     1
Statement of Senator Wicker......................................     1
    Letter dated July 31, 2018 to Hon. Roger Wicker and Hon. 
      Brian Schatz from Pat Kane, Senior Vice President, 
      VeriSign, Inc..............................................    71
Statement of Senator Schatz......................................     2
Statement of Senator Fischer.....................................    48
Statement of Senator Inhofe......................................    50
Statement of Senator Capito......................................    51
Statement of Senator Peters......................................    54
Statement of Senator Gardner.....................................    56
Statement of Senator Hassan......................................    59
Statement of Senator Udall.......................................    61
Statement of Senator Markey......................................    63
Statement of Senator Cantwell....................................    65
Statement of Senator Cruz........................................    67
Statement of Senator Klobuchar...................................    68

                               Witnesses

Hon. Michael Chertoff, Former Secretary of Homeland Security 
  (2005-2009); Co-Founder and Executive Chairman, The Chertoff 
  Group..........................................................     4
    Prepared statement...........................................     5
James Bladel, Vice President of Global Policy, GoDaddy...........    11
    Prepared statement...........................................    13
Roslyn Layton, Ph.D., Visiting Scholar, American Enterprise 
  Institute......................................................    15
    Prepared statement...........................................    16
Denise E. Zheng, Vice President, Policy, Business Roundtable.....    32
    Prepared statement...........................................    33
Christopher M.E. Painter, Commissioner, Global Commission on the 
  Stability of Cyberspace........................................    37
    Prepared statement...........................................    39

                                Appendix

Hon. Bill Nelson, U.S. Senator from Florida, prepared statement..    75
Letter dated July 17, 2018 to Hon. Chuck Grassley, Hon. Dianne 
  Feinstein, Hon. John Thune and Hon. Bill Nelson from 
  CreativeFuture Independent Film and Television Alliance........    76
Response to Written Questions Submitted to Hon. Michael Chertoff 
  by:
    Hon. Roger F. Wicker.........................................    84
    Hon. Catherine Cortez Masto..................................    84
    Hon. Jon Tester..............................................    86
Response to written questions submitted to James Bladel by:
    Hon. Roger F. Wicker.........................................    87
    Hon. Catherine Cortez Masto..................................    87
    Hon. Jon Tester..............................................    88
Response to written questions submitted to Roslyn Layton, Ph.D. 
  by:
    Hon. Roger F. Wicker.........................................    89
    Hon. Roy Blunt...............................................    91
    Hon. Catherine Cortez Masto..................................    91
    Hon. Jon Tester..............................................   122
Response to written questions submitted to Denise E. Zheng by:
    Hon. Maggie Hassan...........................................   129
    Hon. Catherine Cortez Masto..................................   129
    Hon. Jon Tester..............................................   132
Response to written questions submitted to Christopher M.E. 
  Painter by:
    Hon. Maggie Hassan...........................................   133
    Hon. Catherine Cortez Masto..................................   134
    Hon. Jon Tester..............................................   135

 
                        THE INTERNET AND DIGITAL
                       COMMUNICATIONS: EXAMINING
                THE IMPACT OF GLOBAL INTERNET GOVERNANCE

                              ----------                              


                         TUESDAY, JULY 31, 2018

                               U.S. Senate,
       Subcommittee on Communications, Technology, 
                      Innovation, and the Internet,
        Committee on Commerce, Science, and Transportation,
                                                    Washington, DC.
    The Subcommittee met, pursuant to notice, at 10:00 a.m. in 
room SR-253, Russell Senate Office Building, Hon. Roger Wicker, 
Chairman of the Subcommittee, presiding.
    Present: Senators Wicker [presiding], Cruz, Fischer, 
Inhofe, Schatz, Cantwell, Klobuchar, Markey, Udall, Peters, 
Hassan, Capito, and Gardner.

          OPENING STATEMENT OF HON. ROGER F. WICKER, 
                 U.S. SENATOR FROM MISSISSIPPI

    Senator Wicker. Good morning. Today's Subcommittee meets to 
examine international Internet policies and their impact on 
U.S. businesses, domestically and abroad.
    I'm glad to convene this hearing with my good friend and 
colleague, Ranking Member Schatz.
    The Internet, as we know it, has become one of the most 
important inventions in history. We use it for just about 
everything. Thanks to infrastructure investments and ingenuity, 
the Internet is now an economic engine driving job creation and 
unprecedented access to information and opportunities.
    In a short time, the World Wide Web has transformed into a 
global interconnected information super highway facilitating 
growth, freedom, and economic prosperity.
    The multi-stakeholder governing model has been key to the 
Internet's development across the world. This model has 
fostered the creation of a dynamic Internet economy that 
promotes investment and innovation.
    We owe many of the cutting edge products and services we 
enjoy today to the Internet economy. Underpinning this economy 
is Internet data. As the Internet grows and more people and 
things become connected, the volume, quality, and variety of 
Internet data increases.
    This is driving the development of new businesses and 
services and it is enhancing online experiences for consumers. 
Internet data is an essential commodity for businesses to 
compete and grow in the global digital market.
    The importance of Internet data has not gone unnoticed 
internationally. In fact, it has expanded the focus of the 
conventional Internet governing agenda.
    Traditionally, Internet governance has centered on the 
formation of policies and rules dedicated to the Internet's 
technical development across jurisdictions. While this remains 
an important function and primary focus, the increasing value 
of data has shifted attention to the collection, use, movement, 
and overall treatment of Internet data.
    The rise of data where localization rules following how 
data can be process in a certain territory or jurisdiction 
along with local content requirements, Internet censorship 
policies, and cybersecurity laws are a few examples of this 
growing trend.
    Policies targeting data and networks often stem from a 
country's interest in fostering its own innovation or 
protecting its people from possible data misuse, but here's a 
new problem.
    The global nature of the Internet means that the impact and 
power of these laws goes beyond a jurisdiction's borders. U.S. 
companies are compelled to change business models or alter 
operations to achieve compliance in foreign markets, and 
they're experiencing disruptions in their own domestic 
operations, as well. The result is less job creation, less 
investment, and less innovation in the United States.
    Consumers are feeling the effects of international Internet 
policies. Overly restrictive limitations on data movements or 
inconsistencies across jurisdictions ultimately deliver an 
Internet experience to consumers that is less personalized and 
more expensive to access.
    Today, we look forward to examining the impact of global 
Internet policies on U.S. businesses and consumers as well as 
the continued development of the Internet around the world.
    I would mention that I'm Chairman of the Helsinki 
Commission and as part of the Commission's mission, we promote 
economic cooperation overseas and I also look forward to 
discussing the appropriate role that Congress should play in 
enhancing international coordination on the future Internet 
policies and empowering U.S. businesses to prosper in today's 
global Internet marketplace.
    This is critically important to maintain U.S. leadership 
and data-driven innovation and Internet technologies for years 
to come.
    I welcome the witnesses here today. I will introduce them 
in a moment after we've heard an opening statement from Senator 
Schatz.

                STATEMENT OF HON. BRIAN SCHATZ, 
                    U.S. SENATOR FROM HAWAII

    Senator Schatz. Thank you, Mr. Chairman. Thank you for 
holding this hearing.
    We are here today to talk about governing an Internet that 
is truly international. It serves billions of people who have 
different cultural and economic values and ideas of how it 
should work and that presents a challenge.
    We also have more specific challenges, such as online 
terrorism, foreign propaganda, interfering in elections, state-
sanctioned surveillance, and misinformation that can lead to 
violence, and as we consider them, we have to ask how they can 
be addressed without compromising basic human rights, such as 
free speech or privacy.
    Approaching any one of these challenges would require a 
long and technical conversation and so it's unrealistic to 
think that we can solve all of these weighty policy issues with 
a hearing or two, but what we can do here is highlight and 
demonstrate support for the forums where these discussions can 
happen in a more comprehensive manner.
    The IANA transition from NTIA to ICANN is a good example of 
how a technical governance of the Internet is best served by a 
process in which all stakeholders participate. These include 
industry, civil society, academia users, and governments.
    Government-driven forums, like OECD, G7, G20, and WTO, also 
allow people to come together to address important Internet 
policy issues, including security, economic development, and 
trade.
    Russia, China, and Iran use these forums to push for 
agendas that censor speech, enable government surveillance, and 
restrict free markets. That's why the U.S. and our allies need 
to maintain our leadership to preserve and advance democratic 
principles. Similarly, a free and open Internet is in our 
common interests.
    The Internet started in the United States. It is 
intertwined with the fabric of our daily lives from basic 
activities, like checking the weather, to exercising our 
fundamental civic rights and democratic values, and that's why 
we have to show up and lead these forums and to continue to be 
the indispensable nation.
    This is generally true for international policy issues, but 
it's especially true for the governance of the global Internet. 
Unfortunately, our leadership is being jeopardized by this 
Administration. Last year, Secretary Tillerson eliminated the 
cybersecurity coordinator role and demoted its 
responsibilities, putting it under the Bureau of Economic 
Affairs, and earlier this year, National Security Advisor John 
Bolton eliminated the White House cyber coordinator role.
    Congress is working to reinstate the Office of Cyber 
Coordinator at the State Department and we hope to persuade the 
White House to re-establish the Cyber Coordinator role in the 
NSC.
    The U.S. Government needs to play an active role in helping 
to set reasonable rules of the road for Internet governance. 
This means protecting the existing international and multi-
stakeholder processes and in this global context, our standing 
down will create a vacuum for authoritarian regimes.
    I look forward to hearing from the witnesses about how we 
can better engage with the international community to address 
the many challenges facing the Internet today.
    Thank you, Mr. Chairman.
    Senator Wicker. Thank you, Senator Schatz.
    We are delighted today to have the Honorable Michael 
Chertoff, former Secretary of Homeland Security and Co-Founder 
and Executive Chairman of The Chertoff Group, Washington, D.C.; 
Mr. James Bladel, Vice President of Policy, GoDaddy, of 
Scottsdale, Arizona; Dr. Roslyn Layton, Visiting Scholar, the 
American Enterprise Institute in Washington, D.C.; Ms. Denise 
Zheng, Vice President for Policy of The Business Roundtable, in 
Washington; and Mr. Christopher Painter, Commissioner, Global 
Commission on the Stability of Cyberspace, Washington, D.C.
    Let's take 25 minutes evenly divided among our witnesses 
for opening statements, and, Secretary Chertoff, we'll begin 
with you and just go down the table.
    Welcome.

              STATEMENT OF HON. MICHAEL CHERTOFF,

       FORMER SECRETARY OF HOMELAND SECURITY (2005-2009);

               CO-FOUNDER AND EXECUTIVE CHAIRMAN,

                       THE CHERTOFF GROUP

    Secretary Chertoff. Well, thank you, Mr. Chairman, and 
Ranking Member Schatz, and members of the Committee, for 
holding this hearing, which is very timely.
    I've submitted a written statement which I request be made 
part of the record.
    Senator Wicker. All of the statements will be made a part 
of the record.
    Secretary Chertoff. And I should just point out that I 
serve with Chris Painter on the Global Commission on Stability 
of Cyberspace. So we interact quite a bit on this issue.
    Let me just try to make a few brief points. As both the 
Chairman and Ranking Member indicated, obviously the value 
proposition of the Internet in many respects rests upon its 
global nature. In fact, it connects up networks all around the 
world and therefore when you have the prospect of fragmentation 
or localization, you run the risk of undermining the 
fundamental value of the Internet because you would wind up 
with a number of different networks.
    This is important not only because we value freedom and the 
ability to communicate with others around the world and to have 
discourse about matters of public importance but because this 
is critical to our economy. The reality is the Internet has 
transformed the nature of our economic activity.
    It allows us to promote exports. It allows us to--if I can 
use the phrase--dis-intermediate between buyers and sellers, so 
we now have the ability of people to sell directly, whether 
it's auctioning on eBay or signing up to look for drivers under 
Uber or Lyft or other ride-sharing programs, and in many 
respects, this is part of what is fueling global growth around 
the world.
    It's also true that much of the innovation and the 
ingenuity behind the Internet, which is part of the market 
value of many of our most prominent companies, depends upon 
having a global market and that means a global Internet. 
Without a global Internet, that market dries up. So we have a 
very strong interest in dealing with this issue.
    It also means that no one country can control the outcome. 
We have to work with our partners. Now KANDR compels that we 
recognize that the Russians and the Chinese have a different 
view and in many cases, to the Russians and the Chinese, 
information they don't want their public to read is what they 
regard as cybersecurity and that's, of course, the opposite of 
what we view as important.
    So I would make, I think, three points about what we ought 
to address. One is I do think we need to continue to promote 
what has been described as the multi-stakeholder model of 
Internet governance. That means making sure we get not just 
government but civil society, business, and consumers into the 
mix in deciding how the Internet is going to be operated.
    The Russians and the Chinese often look to put the 
governance in bodies, like the United Nations, which would 
politicize and give them in many cases control over the 
outcomes for their own purposes, and I would emphasize that 
often rules that appear to be merely technical actually have a 
great deal of real substance because your ability, for example, 
to control the domain name registry system and to decide, you 
know, who controls basically the traffic flow in many cases is 
the key to whether you censor the Internet or you have it be 
wide open.
    A second issue is we do have conflicting laws in different 
jurisdictions. The Internet is borderless, the data is 
borderless, but the laws have borders, and we often do wind up 
with conflicts.
    Congress has passed the CLOUD Act, which has opened the 
door to resolving some of the conflicts about lawful access by 
the authorities to data that may be held in another country and 
that's a good step forward, and we need to continue to work on 
resolving these disputes among legal jurisdictions about who 
gets to access information and what the substantive rules are, 
in particular because we prize the First Amendment. We want to 
make sure that other countries don't use their power over 
multi-national global Internet companies to drive a vision of 
censorship that would fundamentally undermine our 
constitutional values.
    And, finally, I would say, and Full Disclosure is a book 
I've just written recently, that we need to talk about what 
privacy is like in an era when we are generating so much data 
globally that the idea of keeping it all hidden is a ship that 
has sailed and now it becomes an issue of how do we control the 
data and what rights do we as citizens and consumers have to 
make sure that our data is not being used in ways that we don't 
agree to or that will hurt us and so these are very meaty 
topics.
    I look forward to answering questions from the Committee on 
any and all of these.
    Thank you very much.
    [The prepared statement of Secretary Chertoff follows:]

   Prepared Statement of Hon. Michael Chertoff, Former Secretary of 
 Homeland Security (2005-2009); Co-Founder and Executive Chairman, The 
                             Chertoff Group
Introduction
    As we are all aware, the Internet knows no borders. National 
sovereignty and borders, key elements of how those of us in the West 
have looked at legal and political issues since the Peace of 
Westphalia, lack their traditional meaning in a digital world in which 
data moves between servers and users without regard for their location 
or nationality. I can just as easily access my e-mail in Geneva as I 
can in Washington. My service provider can seamlessly move my data 
between data centers in dozens of countries, with the decision to do so 
made by an algorithm. In some instances, a provider may not even know 
the physical location of the data, the underlying ones and zeros, or 
may ``shard'' the data, spreading it across multiple locations.
    In this environment, it is nearly impossible for any one country to 
claim sovereignty over ``their portion'' of the internet. A country may 
have jurisdiction over the physical infrastructure of the Internet 
within their country, but it cannot control the infrastructure beyond 
its borders nor can it control the services and offerings of providers 
in other countries. Practically speaking, the only way to truly control 
the Internet within your country is to disconnect it from the rest of 
the world, as Russia recently threatened to do and as North Korea has 
done for much of its domestic population (leaving aside the activities 
of the country's cyber warriors).\1\ Even China's Great Firewall, a 
costly but reasonably effective means of control, is unable to 
completely stem the flow of information deemed objectionable by the 
Chinese Communist Party to citizens within its borders.
---------------------------------------------------------------------------
    \1\ See https://www.theregister.co.uk/2017/12/01/
russia_own_internet/, https://www.scmp.
com/news/asia/east-asia/article/2119146/how-north-korea-slowly-
embracing-its-own-sealed-version-internet
---------------------------------------------------------------------------
    More importantly, taking such drastic action comes at a significant 
cost. The Internet is now a vital part of the U.S. and the global 
economies. In 2016 e-commerce sales in the U.S. totaled approximately 
$400B, or roughly 10 percent of all retail sales.\2\ Mobile and 
Internet banking use in the U.S. has also exploded, resulting in 2.5B 
bill-payment transactions in 2012 alone.\3\ Beyond these transactions 
are entire companies built on the power of the internet, such as Google 
and Facebook. The Internet has also fostered entirely new segments of 
the economy, such as ride and home sharing.
---------------------------------------------------------------------------
    \2\ See https://www.census.gov/newsroom/press-releases/2018/estats-
report.html
    \3\ See https://www.frbservices.org/assets/news/research/2013-fed-
res-paymt-study-summary-rpt.pdf
---------------------------------------------------------------------------
    Beyond the economics, the Internet serves as a massive, if 
imperfect, laboratory for democracy and free speech, allowing for the 
free exchange of ideas and information between all users regardless of 
nationality, location, or class. It has also allowed for large scale 
collaboration, resulting in the creation of the world's largest 
encyclopedia, Wikipedia, and various crowdfunding sites that allow 
individuals to raise funds for their ventures beyond the traditional 
confines of banks and institutional investors. On the darker side of 
things, the Internet has also given rise to a dark web that facilitates 
the sale of illicit goods and gives opportunities to criminals to 
conspire and collaborate in private.
Need for coordinated action on cyber (international and bilateral)
    The Internet has proven to be a vital economic and social tool, 
vastly expanding economic opportunity while allowing for the free 
exchange of thoughts and ideas. It is something that is worth 
protecting, but also something that requires regulation and policing. 
However, this global nature also necessitates an appreciation that the 
actions of one country can have impacts far beyond that country's 
borders, and conversely, that broader Internet and cyber policy aims 
can only be fulfilled through cooperation with other countries.
    That said, we must recognize that not all countries view the 
Internet in the same way nor appreciate its significant social and 
democratic value to society. China, Russia, Iran, and many other 
authoritarian countries view the Internet as a threat to the governing 
regime and thus require significant controls and monitoring. In such 
countries various websites are blocked, applications prohibited, and 
communications monitored for seditious speech or efforts that might 
challenge the regime's hold on power. While these countries are part of 
the global network, the reality is that we are never going to see eye-
to-eye with them on important issues of Internet governance, nor will 
the U.S. and its allies be able to convince them to abandon their 
efforts and allow unfettered access to materials that might undermine 
them.
    And so, it is up to us to cooperate and build consensus with like-
minded countries, other democracies and Western countries who agree on 
the broader principles of the Internet but may disagree about how to 
regulate, shape, and manage it. We must recognize that we may, at 
times, disagree with even our closest allies on policy particulars, but 
in the end, it is better to reach an imperfect compromise with them 
than allow for the disintegration of the Internet as we know. So much 
of the internet's value is in its global nature, and we must work 
across international borders if we hope to preserve it as a common 
good.
    Without that cooperation we are likely to see new barriers, 
intended or not, appear and impede the development and growth of the 
internet. Data localization requirements, for example, may be enacted 
to protect a country's citizens' data, but have the more practical 
effect of significantly raising costs, diminishing competition, 
frustrating international commerce, and preventing citizens from 
accessing the services of providers based outside their own country. 
New regulations may be enacted to protect users' privacy but result in 
unexpected delays in cross-border law enforcement cooperation. The best 
way to avoid such barriers is to work with other countries to address 
these issues, as many countries share the same concerns and would all 
benefit from coordinated action.
    At present, the mechanisms for such cooperation are limited. 
Broader international bodies, such as the United Nations and 
International Telecommunications Union, include stakeholders from 
authoritarian countries which may use those bodies to pursue policies 
contrary to our vision for the internet. The European Union has 
arguably been the most successful multi-national body on this issue, 
developing Europe-wide policies such as the General Data Protection 
Regulation (GDPR). Some progress has also been made on bi-lateral 
solutions, such as the law enforcement data sharing agreements 
authorized by the recently enacted Clarifying Lawful Overseas Use of 
Data (CLOUD) Act, which allows for the U.S. to enter into bi-lateral, 
reciprocal law enforcement data access agreements with countries that 
meet a specified set of legal and human rights criteria. The first such 
agreement, between the U.S. and the U.K., is currently working its way 
through the approval process.
    A variety of other organizations have also worked to address these 
issues. The Global Commission on Internet Governance and the Global 
Commission on Stability in Cyberspace, on which I have served, work to 
counter the fragmentation of the Internet and offer guidance to policy 
makers seeking to address Internet governance issues.\4\ Toomas Hendrik 
Ilves, the former President of Estonia and Visiting Fellow at the 
Hoover Institution at Stanford University, recently proposed what he 
termed a new ``Cyber NATO,'' a coalition of liberal democracies that is 
better able to meet the ubiquity of cyber threats and ensure proper, 
adequate response.\5\ The President of Microsoft, Brad Smith, has 
proposed what he has dubbed a ``Digital Geneva Convention,'' which 
outlines the rules of cyberspace and protects civilians and other 
bystanders from the offensive cyber activities of nation-states.\6\
---------------------------------------------------------------------------
    \4\ See https://www.cigionline.org/sites/default/files/
gcig_final_report_-_with_cover.pdf
    \5\ See https://berlinpolicyjournal.com/a-digital-defense-alliance/
    \6\ See https://blogs.microsoft.com/on-the-issues/2017/02/14/need-
digital-geneva-convention/
---------------------------------------------------------------------------
    The above is just a brief snapshot of the need for international 
cooperation on Internet governance, be it multi-lateral or bi-lateral. 
Ultimately, the U.S. will be best served by working with countries that 
share its values and vision for the Internet to find a mutually-
agreeable approach to the myriad of privacy, security, regulatory, and 
management issues that face the Internet as we know it. The U.S. would 
also be well served to consult with key stakeholders throughout the 
process, considering the concerns of the technology industry, the 
privacy community, and other actors as it develops its strategy for 
international engagement cooperation on Internet governance and related 
cybersecurity issues. The costs of non-cooperation would be severe and 
ultimately harm the U.S., and the rest of the world, economically and 
socially.
Privacy needs and the impacts of inaction
    Today's rampant technology, and the convenience and opportunity it 
offers, has numbed us to our loss of privacy. The availability of data 
is only going to grow in years and decades to come and we urgently need 
to regulate how government and the private sector can make use of that 
information. The creaky and dated legal framework that currently 
governs the collection and use of personal data was created decades ago 
when phone records and photographs constituted metadata. The U.S. needs 
a legal and policy structure built for the way the 21st century uses 
data--one that retains security and economic benefits without 
sacrificing Americans' liberty and civic values.
    Privacy as we know it has been forever at least substantially lost, 
and the collection of data will--and must, for security reasons--
expand. What must be preserved, however, by new laws and regulations is 
our autonomy--the ability to make our own personal choices restricted 
only by transparent laws and social norms, and to have a reasonable 
degree of ownership and control over the data we generate.
    In March of this year, news broke that Cambridge Analytica was 
regularly harvesting our data for the purposes of manipulating American 
voters in favor of the Trump Campaign in 2016.\7\ The entering wedge of 
Cambridge Analytica's data collection was an apparently limited request 
by a developer to have Facebook users complete an online survey. 
Slightly over a quarter of a million did so. But by downloading the 
survey, they opened the door to collection of data about all their 
friends and their other on-line interactions. As a result, data 
relating to approximately 50 million individuals was captured. Most of 
these people did not know that their information was being used. 
Perhaps improperly, this data was transferred to Cambridge to applying 
machine learning algorithms to correlate granular connections between 
individuals and their likely political predilections and interests. 
This analysis could then be applied for precisely targeted, 
individually focused political advertising aimed at potential voters. 
It is debatable whether this had an impact on the election outcome, but 
it is certain that political campaigns and even governments will 
continue efforts to refine and apply the political marketing 
techniques.
---------------------------------------------------------------------------
    \7\ See https://www.cnbc.com/2018/03/21/facebook-cambridge-
analytica-scandal-everything-
you-need-to-know.html
---------------------------------------------------------------------------
    And the purpose of those techniques will not only be to affect 
elections. As we have seen, information from Russia and other foreign 
powers has been used to create social division, sow public distrust, 
and even foment unrest. Weaponized data is the newest tool in the 
armory of subversion.
    What all this illustrates, is that personal data has become one of 
the most valuable assets of the modern age. That is evident from the 
fact that many of the companies with the highest market capitalization 
are essentially earning revenue from data adapted to commercial 
marketing. But the value of these data assets increasingly also lies in 
their utility as a tool to drive political behavior, impact social 
stability, and even affect national security.
    Even more significant, the business of aggregating and reselling an 
individual's data from multiple sources--social media, online searches, 
consumer purchases, and locational data--means that people will 
increasingly be subject to pressure to change their behavior from 
multiple sources: employers, insurers and governments. By way of 
example, China has embarked on a ``social credit'' plan to aggregate 
myriad data points of online and offline behavior, and award 
individuals a ``score'' that will affect their life prospects.\8\
---------------------------------------------------------------------------
    \8\ See https://www.businessinsider.com/china-social-credit-system-
punishments-and-rewards-explained-2018-4
---------------------------------------------------------------------------
    For all of us what this means is that all the data we generate has 
become as valuable, and as worthy of safeguarding, as our money in the 
bank. Privacy--in the sense of shielding data from others--has been 
frayed given how easily third parties can collect and fuse our data. 
What must be protected now is our freedom of action, which requires 
that we take greater ownership and control of our data even when it is 
accessible to others.
Data security regulation and policy solutions
    Part of the remedy will be adaptations in the law and regulation, 
changes that must allow for innovation but also the need to protect 
individuals from having their data abused or weaponized. When user data 
is collected by a platform to improve the user experience, consent 
should be readily presumed. But when the data is being used for other 
commercial purposes, or transferred to third parties, the law should 
mandate that the proposed new use of this data be clearly explained to 
the user, and the user's affirmative approval should be required. 
Opting in or out of this kind of data sharing should always be the 
user's choice and should not be the result of pressure or deception. 
Finally, platforms should be required to describe and make available to 
the user all the types of data being collected about him or her.
    But the remedy also requires each of us becoming mindful of how and 
when we share our data. Sometimes that means we should not share data, 
or that we should pay for an online service instead of accepting a 
``free'' benefit that we pay for with our personal information. We 
should also be careful about completing online surveys because the data 
we enter could wind up in different hands than we expect. Even more 
critical, we should consider that our online communications with 
friends may be harvested if those friends agree to grant access to 
their data. Finally, we must educate ourselves about the way data can 
be used to influence us, and to train ourselves to evaluate these 
messages critically.
    Some data regulation had already progressed both abroad and at the 
state level. Under the GDPR, EU citizens have a right to know what's 
being done with their data, and a right to access it. GDPR requires any 
company doing business in the EU that interacts with and processes data 
of people in the EU to get explicit consent from users for every 
possible use to their data. Users will have a right to be 
``forgotten;'' as in being able to request that a company delete their 
data, stop sharing it and force third-party firms from using it as 
well.\9\
---------------------------------------------------------------------------
    \9\ See https://www.lawfareblog.com/summary-eu-general-data-
protection-regulation
---------------------------------------------------------------------------
    In June of this year, California recently passed one of the 
toughest data privacy laws in the country, the California Consumer 
Privacy Act of 2018, impacting how businesses will be required to 
disclose the types of data that they collect, as well as allow 
consumers to opt out of having their data sold.\10\ The legislation, 
which is similar to Europe's new GDPR protections, gives consumers more 
control over their personal data. It grants them the right to know what 
information companies like Facebook and Google are collecting, why they 
are collecting it, and who they are sharing it with. Consumers will 
have the option of barring tech companies from selling their data, and 
children under 16 must opt into allowing them to even collect their 
information at all.
---------------------------------------------------------------------------
    \10\ See https://www.theverge.com/2018/6/28/17509720/california-
consumer-privacy-act-legislation-law-vote
---------------------------------------------------------------------------
    While the legislation is a positive step forward for consumers' 
privacy, I acknowledge that addressing privacy through dozens or 
hundreds of regulations various states and cities would be unworkable, 
and that their needs to be a broader solution at the national and 
global levels. However, the country or state that takes the most action 
and has critical mass will ultimately have the most impact. Take the 
California Emissions Standards legislation as an example. Automakers 
were compelled to more or less follow those standards nationally once 
the automakers in the region were forced to comply with a higher level 
of emission standards than the Federal requirement. To date, 12 states 
and the District of Columbia follow the California standards. 
Similarly, the jurisdictions that lead on data privacy legislation and 
impact most U.S. companies could effectively set the national standard.
Defending against disinformation across Western democracies and 
        election interference
    Attacks on democracy will affect all parties. If we want to 
establish concrete solutions, we need to exchange knowledge and take 
global-minded actions. Organizations like the Transatlantic Commission 
on Election Security, for which I am the co-chairman, focus on finding 
solutions to three major election meddling strategies: manipulation of 
social media, tampering with social infrastructure and leaking 
confidential documents. Working with political and private sector 
leaders, traditional and new media actors, and non-governmental 
organizations, the Commission promotes transatlantic coordination, 
identifying and plugging gaps and raising awareness of this important 
issue. It will also investigate the level of risk exposure across 
Western countries and provide concrete recommendations to address this 
problem head on.
    A positive step forward are private sector initiatives like 
Microsoft's ``Defending Democracy'' initiative (with which I work). 
This initiative engages with stakeholders in democratic countries 
globally to protect campaigns from hacking through:

   increased cyber resilience measures, enhanced account 
        monitoring and incident response capabilities;

   increased political advertising transparency online by 
        supporting relevant legislative proposals such as the Honest 
        Ads Act and adopting additional self-regulatory measures across 
        our platforms;

   technological solutions to preserve and protect electoral 
        processes and engage with federal, state and local officials to 
        identify and remediate cyber threats;

   defending against disinformation campaigns in partnership 
        with leading academic institutions and think tanks dedicated to 
        countering state-sponsored computational propaganda and junk 
        news.
Information Sharing
    Cybersecurity information sharing, that is, the sharing of threat 
data, indicators, Tactics, Techniques, and Procedures (TTPs), and other 
data, is vital to helping others detect and prevent a cyber-attack. 
What makes information sharing so important is the fact that our cyber 
infrastructure is so diffuse. While one entity, such as the FBI, 
Google, or Microsoft, may be aware of a particular vulnerability or 
threat, it can take days, weeks, or even months before the relevant 
information spreads throughout the cyber ecosystem and results in the 
deployment of patches, installation of new technologies, changes in 
network architecture, or the adoption of new policies that adequately 
counter the threat. Such information sharing is likely the most mature 
within the Federal Government, where agencies, particularly within the 
Intelligence and Defense communities, share vital information with one 
another to protect Federal networks.
    The good news is that information sharing efforts are also growing 
within the private sector of the United States, though much can still 
be done. Some of the greatest progress has been made through the growth 
and use of Information Sharing and Analysis Centers (ISACs) and 
Information Sharing and Analysis Organizations (ISAOs), which 
coordinate the sharing of threat information among entities from a 
single sector or geographic region. Some of the most successful ISACs 
and ISAOs, including the Financial Sector ISAC (FS-ISAC) and the Multi-
State ISAC (MS-ISAC), have been able to coordinate the sharing of 
significant volumes of threat information between private and public 
entities while working with Federal agencies to ensure that the threat 
information that they are able to provide is also reflected within 
their ecosystem.
    However, more can be done to grow information sharing beyond the 
government space and a relatively limited portion of the private 
sector. First, the Federal Government can do more to encourage private 
sector information sharing both by enhancing incentives for private 
sector companies to participate and by making it easier for those 
companies to access threat information data from Federal agencies.
    Second, at present, information sharing across international 
borders is exceedingly difficult. Unclear data privacy requirements, 
data transfer limitations, and other legal uncertainties often prevent 
or significantly delay the sharing of threat information data between 
private entities in different countries. The United States should work 
with its international partners to help ease these restrictions while 
maintaining and respecting relevant privacy protections for sensitive 
personally identifiable information.
    Third, international information sharing between governments can 
also be enhanced. While cooperation between U.S. intelligence agencies 
and those of our allies is generally effective, such cooperation is far 
less common between civilian agencies, sometimes because of the same 
regulations that frustrate private sector information sharing across 
international borders. We can do more to enable this information 
sharing and build stronger relationships between the Department of 
Homeland Security, which is responsible for the protection of Federal 
civilian networks, and its counterparts in allied countries.
Five Frameworks for New Laws and Rules to Enhance Security and Civil 
        Liberties
    Finally, I would offer this committee and their colleagues in 
Congress five frameworks that they should contemplate as they consider 
how best to address the cyber threats facing our country and the policy 
challenges that those threats and changing technologies present. While 
no one framework is a silver bullet for the challenges we face, each 
helps to illustrate both these challenges and some of the specific 
solutions that could address them.
    First, to protect us against attacks on our physical and cyber 
security by bad actors while simultaneously preventing the government 
from overreaching to threaten our autonomy, we must recognize that data 
requires both a loosening on what information can be collected and 
stored by or for government and at the same time tightening of the 
standards under which that information can be inspected, analyzed, and 
used. We should grant the government necessary authority to access and 
collect data. The government cannot effectively disrupt criminal 
enterprises or foil terrorist plots without following a digital data 
trail that may only appear significant with the passage of time. The 
trail goes cold if the government does not have initial access and 
collection capability so that the relationships in the data can be 
analyzed in context. Note, however, that I am not advocating that 
private companies build vulnerabilities, like decryption backdoors, 
into their systems to assist the government. The government should use 
its own resources; this burden remains on the government.
    But even as restrictions on access and collection are loosened, 
restraints on government inspection (human or robot), analysis, 
dissemination, and use of that data should be tightened to strengthen 
civil liberties protections against abuse of that data. In the interest 
of individual autonomy, this balances the need to preserve useful 
information with the need to control human access--and possible 
misuse--of that information.
    Second, consider the spectrum of active defense when our 
enterprises or homes are attacked by cyber criminals, terrorists, or 
adversary nation-states. I suggest that licensing private actors to 
defend their networks could help the United States stem the flow of 
intellectual property--the greatest heist in history. But to mitigate 
the risks of unintended consequences and uncontrolled escalation of 
conflict, the government must restrict these licenses to specific 
activities and set clear rules of the road. In particular, no private 
party should be allowed to retaliate against or invade another 
network--even if it is the source of a hacking attack--unless under the 
direction and control of an appropriate law enforcement or judicial 
authority.
    Third, to avoid fragmentation of the internet, and the consequent 
huge global economic cost, Congress should work with other countries to 
develop uniform laws governing both the legal process for obtaining 
data and the substantive laws governing that data. This will require 
creation of enforceable treaties or international agreements that focus 
on protecting the rights of the data subject, since the focus of 
personal autonomy is reasonable control over one's own data. The 
objective of this developing international law regime should be to 
avoid inconsistencies that lead to individual national laws that 
mandate data localization and thereby compromise the global 
architecture and freedom of movement of Internet data.
    Fourth, the law must evolve to control the use private parties can 
make of individual data. In a world in which people inevitably give off 
digital exhaust and often cannot give meaningful consent to the use of 
their data by apps or third parties, the law should shift the default 
to better protect privacy and autonomy. As some European regulators are 
currently insisting, this means that enterprises seeking to use data 
for purposes other than improving the particular service engaged by the 
user--for example, reselling to third party marketers--should be 
required to obtain that user's affirmative or ``opt-in'' consent. Even 
more explicit consent from the data subject should be mandated when a 
data aggregator or platform seeks to resell or repurpose an 
individual's data that was obtained from the third parties who 
initially collected that subject's data without consent. For those 
aggregators or platforms whose market position makes them effective 
monopolists, consent may be deemed insufficient; regulators may need to 
impose limits on the data uses a monopolist may engage in and might 
even require a fee be paid by the company to the subject for certain 
uses.
    Most important, the law must limit the ability of corporations to 
coerce individuals into consenting to broad surrender of control over 
their data. Thus, the ability of employers or insurance providers to 
insist on virtually limitless access to individual data as a condition 
of employment or affordable premiums should be tailored to apply only 
to information reasonably related to employment or insurability. And 
data collected for these reasons should be barred from resale or use 
for unrelated purposes.
    Indeed, noting that NGOs have developed transparency indices for 
how well tech companies respond to government requests for their users' 
data, we should develop transparent accounts or regulations for how 
private companies are using, and especially sharing, individual users' 
data.
    Fifth, the law must incentivize private parties to collaborate with 
the government in protecting against shared vulnerabilities. The vast 
majority of IT infrastructure is in private hands, but the Internet 
makes it interdependent. Without government expertise and even 
regulation, coupled with private sector ingenuity and commitment, the 
Internet infrastructure will continue to fall prey to its weakest link. 
As part of this effort, the law should encourage and protect 
information sharing directly and in real-time among private and public 
entities on both industry-focused and regional bases.
Conclusion
    If there is an overarching lesson to be drawn from the technology 
revolution, it is that our day to day lives are described and even 
defined by data. We generate data, it tracks our behavior, preferences, 
location and even intentions. Data is used to incentive us, deter us, 
and even coerce us. If others, be they government or private actors, 
manage our data, they effectively control much of what we do.
    The Internet was intended as a force to empower individuals, to 
forge global connectivity, and even to promote freedom. Although some 
believe that the Internet can be a law-free, almost anarchic zone, I 
believe that the above demonstrates that without thoughtful rules, the 
Internet can be a tool to constrain individual autonomy, to bully, and 
to manipulate.
    One way to look at the sea of data in which we currently swim is as 
a global public good. Such a public good has value only if there are 
rules that prohibit overreaching interference and disruption. We must 
therefore develop rules to prevent powerful institutions and bad actors 
from using Internet data to damage, rather than enhance, our autonomy.

    Senator Wicker. Thank you, Mr. Secretary.
    Mr. Bladel.

                   STATEMENT OF JAMES BLADEL,

            VICE PRESIDENT OF GLOBAL POLICY, GODADDY

    Mr. Bladel. Thank you. Good morning, Chairman Wicker, 
Ranking Member Schatz, and Subcommittee Members.
    My name is James Bladel, and I'm the Vice President of 
Global Policy for GoDaddy, and we appreciate the opportunity to 
testify before you today.
    GoDaddy is the world's largest web platform dedicated to 
independent ventures. We provide the tools, insights, and 
people necessary to enable small businesses and aspiring 
entrepreneurs or anyone with an idea to get that idea up and 
running online and every idea starts with a domain name.
    A domain name, whether it's a dot com, a dot org, or a new 
extension, like dot app or dot blog, is essential to creating 
an online identity. GoDaddy currently manages over 76 million 
domain names for our 18 million customers worldwide and whether 
that customer is a florist in Mississippi or a baker in London 
or a web designer in Mumbai, our mission is to provide an 
excellent customer experience that is uniform around the world.
    The focus of this hearing is on the impact of international 
policies and regulations on end user experiences and global 
competition online and today, I would like to discuss the 
following three issues.
    First, the adoption of laws and regulations by countries 
that are designed to exclude American companies; second, the 
patchwork of privacy laws and regulations; and, third, the dot 
com cooperative agreement between NTIA and Verisign, which 
underpins the global Internet domain system.
    Internationally, we're seeing an increasing number of 
countries adopt laws and regulations that make it more 
difficult to serve our customers in those markets. We have 
encountered numerous examples of foreign regulations on 
Internet providers that would require us to establish a local 
presence or use local banks or even hire a local workforce all 
in order to gain access to that market.
    Some nations aggressively regulate content and censor 
political or religious views. Taken together, all of these 
regulations stand in the way of GoDaddy reaching new customers, 
competing in new markets, and developing innovative products, 
and laws like these are harmful to providers and to consumers 
alike and are a barrier to free trade.
    There's also an increasing number of new privacy 
regulations, such as the European Union's new General Data 
Protection Regulation, GDPR, and these regulations have created 
a patchwork of laws with which companies must comply in order 
to operate globally.
    GDPR compliance was a major undertaking for GoDaddy. GDPR's 
touched every aspect of our industry but, most notably, it has 
significantly disrupted the WHOIS Service, which is a directory 
of contact information for domain name registrants.
    WHOIS is a two-edged sword. It serves an important tool for 
law enforcement and other stakeholders, but it's also a gold 
mine of personal data for spammers.
    Currently, we're engaged with representatives of law 
enforcement agencies and our colleagues at ICANN to try and 
strike the right balance between providing access to WHOIS for 
legitimate purposes while also protecting the private 
information of our customers.
    Also crucial to the health of the Internet is the 20-year-
old cooperative agreement between NTIA and Verisign that 
governs the dot com registry.
    As you're aware, dot com makes up about 80 percent of 
domain names and the cooperative agreement holds the wholesale 
price of dot com domain names at $7.85 per year. This is 
scheduled to expire in November and it's our understanding that 
NTIA and Verisign are currently in talks to renew and possibly 
amend this agreement, which could potentially raise prices.
    GoDaddy serves millions of small customers and in our 
experience they're very sensitive to any price increase. We 
believe it's important to preserve price caps in any renewal of 
the cooperative agreement.
    Eventually, we believe our industry and all consumers would 
benefit from the full dot com agreement being put out for 
competitive bid. The Internet has matured over the last 20 
years and while we have no complaints about Verisign's 
performance of the contract, there are now several companies 
that could capably operate the dot com registry equally as well 
and perhaps at lower wholesale cost.
    So thank you again for the opportunity to testify here 
today. We believe the United States must continue to push back 
on protectionist policies imposed by other countries and to 
help mitigate a global patchwork of inconsistent and unclear 
privacy laws and, further, we are hopeful that NTIA will 
increase transparency and extend the current dot com pricing as 
associated with any renewal of the cooperative agreement and 
engage with ICANN and other stakeholders to put that agreement 
out for competitive bid.
    So thank you for your time, and I look forward to your 
questions.
    [The prepared statement of Mr. Bladel follows:]

 Prepared Statement of James Bladel, Vice President of Global Policy, 
                                GoDaddy
Introduction
    Good morning, Chairman Wicker, Ranking Member Schatz, and 
subcommittee members. My name is James Bladel, and I am the Vice 
President of Global Policy at GoDaddy. We appreciate the opportunity to 
testify before you today.
    GoDaddy is the world's largest web platform dedicated to 
independent ventures. We provide the tools, insights, and people to 
enable small businesses, aspiring entrepreneurs, or anyone with an idea 
to get that idea up and running online. Every idea starts with a domain 
name and building an online presence.
    A domain name, whether it is a dot-COM, dot-ORG, or a new extension 
like dot-APP or dot-BLOG, is critical to establishing an online 
identity. GoDaddy currently manages over 76 million domain names for 18 
million customers worldwide. Whether that customer is a florist in 
Mississippi, a baker in London, or a web designer in Mumbai, our 
mission is to provide an excellent customer experience that is uniform 
around the world.
    The focus of this hearing is the impact of international policies 
and regulations on end user experiences and global competition online. 
Today, I will discuss the following three issues:

   Adoption of laws and regulations by countries designed to 
        exclude American companies;

   The patchwork of country and regional privacy laws and 
        regulations; and

   The renewal of the Cooperative Agreement between the 
        National Telecommunications and Information Administration 
        (NTIA) and Verisign, which underpins the global Internet domain 
        name system.
Foreign Regulations
    Internationally, we are seeing an increasing number of countries 
adopt local laws that make it more difficult to serve our customers in 
those markets. We have encountered numerous examples of regulations on 
foreign Internet providers that would require us to establish a local 
presence, or use local banks, or even hire a local workforce, all in 
order to access that market. Some nations aggressively regulate content 
and censor political or religious views. Taken together, these 
regulations stand in the way of GoDaddy reaching new customers, 
competing in new markets, and developing new innovative products. Laws 
like these must be seen as harmful to providers and consumers alike, 
and are a barrier to free trade.
    There is also an increasing number of new privacy regulations, such 
as the European Union's new General Data Protection Regulation 
(GDPR),\1\ creating a patchwork of country and regional laws with which 
companies must comply to operate globally. GDPR compliance has been a 
major undertaking at GoDaddy, diverting time and engineering resources 
away from customer service and product development.
---------------------------------------------------------------------------
    \1\ 2018 Reform of EU Data Protection Rules, available at https://
ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-
protection/2018-reform-eu-data-protection-rules_en
---------------------------------------------------------------------------
GDPR
    GDPR has touched every aspect of our industry, but notably it has 
significantly disrupted the WHOIS service, which is an online directory 
of contact information for domain name registrants. WHOIS is a two-
edged sword, serving as an important tool for law enforcement agencies 
and other stakeholders, while also being a gold mine of personal data 
for spammers. Currently, we are engaged with representatives of law 
enforcement agencies and our colleagues at the Internet Corporation for 
Assigned Names and Numbers (ICANN) to strike the right balance between 
providing access to WHOIS data for legitimate needs, while still 
protecting the private information of our customers.
Cooperative Agreement and dot-COM Contract
    Most important to GoDaddy--and critical to the tens of millions of 
global customers who have dot-COM domains--is the 20-year-old, 
exclusive Cooperative Agreement between NTIA and Verisign.\2\ In 2016, 
an economic study commissioned by ICANN found that Verisign's share of 
legacy generic Top-Level Domains (gTLDs) was over 80 percent, making 
them an effective monopoly in our industry.\3\
---------------------------------------------------------------------------
    \2\ Verisign Cooperative Agreement, National Telecommunications and 
Information Administration (October 2016), available at https://
www.ntia.doc.gov/page/verisign-cooperative-agreement.
    \3\ https://www.icann.org/news/announcement-2016-10-11-en
---------------------------------------------------------------------------
    The Cooperative Agreement addresses this by capping the wholesale 
price of dot-COM domain names at $7.85 per year. The Cooperative 
Agreement is scheduled to expire in November, and we understand that 
NTIA and Verisign are currently in talks to renew and possibly amend 
this agreement.
    Our experience clearly shows that small businesses are very 
sensitive to price increases, and that any increase has the potential 
to suppress their ability to grow, deliver products and add jobs. 
GoDaddy serves millions of small businesses. Granting Verisign the 
ability to raise dot-COM prices would have a negative impact on our 
business and our customers, but also our competitors and their 
customers, which can ultimately affect overall economic growth.
    We see no justification for higher dot-COM prices, and we recommend 
that NTIA preserve the price caps in any renewal of the Cooperative 
Agreement.
    Beyond the renewal of the Cooperative Agreement, we believe our 
industry and all end users would benefit from the dot-COM contract 
eventually being put out for competitive bid. Granting Verisign the 
exclusive right to operate the dot-COM gTLD may have been appropriate 
in the early days of the Internet, but the Internet has matured over 
the last 20 years. And while we have no complaints with Verisign's 
performance of the contract, there are now several companies capable of 
operating the dot-COM gTLD equally as well, and perhaps at lower 
wholesale costs.
Conclusion
    Thank you for the opportunity to testify today to discuss global 
policies that impact the Internet industry and our users. We believe 
the U.S. must continue to push back on protectionist policies imposed 
by other countries and the growing patchwork of privacy regulations.
    Further, we are hopeful the NTIA will provide more transparency, 
and seek more stakeholder engagement, as part of the renewal process 
for the Cooperative Agreement. In the short-term, we support extending 
the dot-COM price caps in any renewed agreement. But in the long-term, 
we would like NTIA to engage with ICANN and other stakeholders to 
develop a strategy to put the dot-COM contract up for competitive bid.
    Thank you for your time, and I look forward to your questions.

    Senator Wicker. Thank you very much.
    Dr. Layton.

 STATEMENT OF ROSLYN LAYTON, Ph.D., VISITING SCHOLAR, AMERICAN 
                      ENTERPRISE INSTITUTE

    Dr. Layton. Thank you, Chairman Wicker, and Ranking Member 
Schatz.
    Chairman Wicker, thank you also for your leadership of the 
Helsinki Commission on Security and Cooperation and your 
defense of human rights. It reminds me how Americans from every 
part of our Nation can play a role in Internet policy.
    For example, Mississippi is innovating in telemedicine and 
precision agriculture. As we enter the 5G era, our economy will 
broaden with smart application for cities, cars, and so on. 
It's not just search engines and social networks. We want to 
export these new 5G platforms and services and this underscores 
the importance of today's hearing.
    Now our country has practiced international technology 
policy for at least 230 years. Alexander Hamilton's report on 
the subject of manufacturers from 1791 advocated for 
modernizing the American economy to break dependence on slavery 
and supersede England in manufacturing. We revere Hamilton for 
his enlightened contribution on the importance of central 
government. Equally, we revere Thomas Jefferson for his 
championing of individual freedoms.
    Our policy legacy is thus to hold the balance of the Rule 
of Law with individual rights and these values should underpin 
our approach to Internet governance. The United States is one-
third of the global tech economy and we should shape the 
international environment with our values, but we won't have 
any credibility if our policy is just about American companies 
making money.
    We must export a value system that legitimately empowers 
and rewards other nations to participate in a free market 
economy, to respect the Rule of Law and individual rights, to 
limit regulatory distortion, to protect property, and to 
improve quality of life. This is how we ensure that our regime 
is the most fair, rationale, and humane.
    Now a popular misconception is that the Global Data 
Protection Regulation or GDPR protects privacy. It does not. 
The GDPR is about data regulation, specifically, 173 rules on 
data regulation.
    Now Europe is the destination of two-thirds of America's 
digital goods and services and U.S. companies are now suffering 
because of its cost and complexity. Now I live in Copenhagen, 
so I can experience this. I can no longer look at the 
newspapers, such as the L.A. Times, the Chicago Tribune, the 
New York Daily News, the Hartford Courant, or Atlanta Sentinel 
and Baltimore Sun.
    Additionally, 60 additional newspapers in Illinois, 
Indiana, Minnesota, Missouri, Montana, Nebraska, Nevada, 
Washington, and Wisconsin are not available. This reduction in 
content has reduced visibility for U.S. advertisers and has 
shut them out of independent ad exchanges.
    Retailers Williams and Sonoma and Pottery Barn no longer 
sell in the EU. Game companies from Washington State have shut 
down their online communities. A Nevada provider of online IT 
services no longer takes European customers. A mobile marketing 
platform company with six offices in the United States has 
closed its EU operation, and even the website of the 
Association of National Advertisers is not available.
    Now if we adopted such a measure in the United States, it 
would likely violate our freedom of speech as the government 
requirements are so onerous that they reduce expression. 
Indeed, California's GDPR-inspired legislation should be 
preempted federally for this very reason, and the EU Parliament 
is using the GDPR as a pretext to torpedo our faithfully 
negotiated Privacy Shield Agreement.
    These actions violate international law and we need to 
challenge them in court.
    Now the GDPR is a global standard tool. The EU tried this 
before with the 3G GSM and Mobile Standard hoping that we would 
get on their platform. We didn't copy them but we leapfrogged 
to 4G LTE. Now we need the same strategy with the GDPR, not to 
copy but to make a better and different alternative for data 
protection, and we can do that by meaningfully empowering 
consumers through digital competence education and 
incentivizing privacy-enhancing technologies.
    I want to applaud Senator Klobuchar for her leadership on 
the proposed bill.
    In closing, we must walk the talk. For a rationale, 
predictable, and consistent framework abroad, we need to start 
at home. Therefore, the right policy should be a consistent 
framework with same rules for all players, grounded in modern 
evidence-based standards of antitrust delivered by the Federal 
Trade Commission. This also requires addressing the regulatory 
prejudice that has deterred flexible pricing and innovation in 
business models and platforms.
    For example, the cooperative agreement between Verisign and 
U.S. Department of Commerce oddly caps the wholesale price of 
dot com domains but allows arbitrage in the secondary market.
    Now just as Jefferson had secured the Mediterranean Sea 
lanes for free trade in the 19th Century, we have to secure the 
information lanes for the free flow of data today, and this is 
now our leadership challenge.
    [The prepared statement of Dr. Layton follows:]

     Prepayed Statement of Roslyn Layton, Ph.D., Visiting Scholar, 
                     American Enterprise Institute
    Thank you Chairman Wicker, Ranking Member Schatz, and members the 
Committee for the opportunity to testify. Chairman Wicker, you are 
understandably informed of international security and policy issues as 
chairman of the Helsinki Commission on Security and Cooperation in 
Europe. Thank you for leadership and commitment to ensure security and 
defend human rights and freedoms in that role.\1\ It reminds me why 
Mississippi is important to the digital future, just like Manhattan. 
Mississippi with its population of 3 million has an economy as large as 
the Nation of Ecuador, which has five times the population.\2\ 
Mississippi is innovating in digital technology with telemedicine \3\ 
and precision farming.\4\ While we think about digital communications 
today as search engines, social networks, ecoomerce, and digital 
content, as we enter the 5G era, our digital economy will be broadened 
with smart applications and platforms for health, homes, cities, grids, 
cars, and infrastructure. We should expect to export these 5G platforms 
and services. This underscores the importance of today's hearing in 
getting the policy right. It also demonstrates that every American can 
benefit and participate in the Internet economy and that all Americans 
have a stake in Internet policy.
---------------------------------------------------------------------------
    \1\ Commission on Security and Cooperation in Europe, ``Senator 
Roger F. Wicker,'' https://www.csce.gov/senator-roger-f-wicker.
    \2\ Mark J. Perry, ``Putting America's Enormous $19.4T Economy into 
Perspective by Comparing U.S. State GDPs to Entire Countries,'' May 8, 
2018, http://www.aei.org/publication/putting-americas-enormous-19-4t-
economy-into-perspective-by-comparing-us-state-gdps-to-entire-
countries/.
    \3\ Morgan Reed, ``The Connected Health Initiative Applauds the 
FCC's New `Connected Care Pilot Program,' '' ConnectedHealth, July 11, 
2018, https://www.connectedhi.com/blog/2018/7/11/the-connected-health-
initiative-applauds-the-fccs-new-connected-care-pilot-program.
    \4\ Office of Roger Wicker, ``Wicker Leaders New Legislation on 
Precision Agriculture,'' press release, January 29, 2018, https://
www.wicker.senate.gov/public/index.cfm/weekly-report?ID=
60B6C27C-72F6-4147-9F27-A24DA2E5B86A.
---------------------------------------------------------------------------
    The economics of the Internet allow for the participation of many 
players. With the evolution to 5G, the next generation mobile standard, 
and the Internet of Things, this will only increase. Existing 
businesses will converge, and new ones will emerge. Consider how 
quickly the U.S. reaped the gains from 4G mobile wireless networks and 
its associated technologies, apps, and services. Some $100 billion was 
added annually to the Nation's GDP.\5\ The windfall from 5G is 
projected to be even greater: The rollout of a 5G network should is 
expected to deliver 3 million new jobs and contribute $1.2 trillion to 
the U.S. economy.\6\
---------------------------------------------------------------------------
    \5\ CTIA, ``How America's 4G Leadership Propelled the U.S. 
Economy,'' April 16, 2018, https://www.ctia.org/news/how-americas-4g-
leadership-propelled-the-u-s-economy.
    \6\ CTIA, ``Global Race to 5G--Spectrum and Infrastructure Plans 
and Priorities,'' April 2018, https://api.ctia.org/wp-content/uploads/
2018/04/Analysys-Mason-Global-Race-To-5G_2018.pdf.
---------------------------------------------------------------------------
    Our country has engaged the question of international technology 
policy for at least 230 years. Alexander Hamilton's Report on the 
Subject of Manufactures in 1791 advocated for modernizing the American 
economy to break dependency on slavery and supersede England in 
manufacturing.\7\ We revere Hamilton for his many contributions, which 
exemplify the importance of a central government. Equally we revere 
Thomas Jefferson, the exponent of individual freedoms and limited 
government.\8\ As such, the legacy of our policy has been an attempt to 
balance the necessary role of a central government with the sovereignty 
of the individual. We maintain that balance through the rule of law and 
enumerated individual rights. These are values that underpin our 
approach to international Internet governance.
---------------------------------------------------------------------------
    \7\ Founders Online, ``Introductory Note: Report on Manufactures,'' 
accessed May 29, 2018, http://founders.archives.gov/documents/Hamilton/
01-10-02-0001-0001.
    \8\ Jules Witcover, Party of the People: A History of the 
Democrats'' (Random House, November 4, 2003).
---------------------------------------------------------------------------
    The U.S. tech economy was $1.6 trillion in 2018, 9.2 percent of 
gross domestic product (GDP). The numbers are even more staggering from 
an equities perspective; the American tech industry accounts for a 
quarter of the value of the U.S. stock market, some $34 trillion.\9\ 
There are half a million tech companies in the U.S. with 34,000 new 
startups in 2017 alone.\10\ Globally, the tech industry topped $4.5 
trillion in revenue in 2017 and is expected to reach $4.8 trillion in 
2018.\11\ The U.S. is the single-largest tech market in the world and 
accounts for 31 percent of the global tech market.\12\
---------------------------------------------------------------------------
    \9\ Nasdaq, ``Technology Companies,''
    \10\ Cyberstates, ``Data Appendix,'' https://www.cyberstates.org/.
    \11\ CompTIA, ``IT Industry Outlook 2018,'' https://
www.comptia.org/resources/it-industry-trends-analysis.
    \12\ CompTIA, ``IT Industry Outlook 2018.''
---------------------------------------------------------------------------
    As such, it is in the national interest to shape the international 
environment by projecting power and securing economic, political, and 
strategic goods. But the U.S. won't have any credibility if its 
international Internet policy is just about American companies making 
money. The U.S. must also export a value system that legitimately 
empowers and rewards other nations to participate in a free-market 
Internet economy, respects the rule of law and individual rights, 
limits regulatory distortion and abuse, protects property, and delivers 
measurable improvements in quality of life. This is how we ensure that 
our regime is most fair, rational, and humane for global Internet 
governance.
    Today, I will describe some geopolitical and protectionist efforts 
proffered by foreign governments as consumer protection, notably the 
General Data Protection Regulation (GDPR), lax enforcement of 
intellectual property, and data localization. I will discuss a range of 
solutions for the committee to consider.
General Data Protection Regulation (GDPR)
    In addition to my role at the American Enterprise Institute, I am 
Visiting Research at the Center for Communication, Media and 
Information Technologies at Aalborg University in Copenhagen, Denmark. 
We run a multidisciplinary research and education program looking at 
the impact of technology in society from engineering, economic, legal, 
and social perspectives. The GDPR is one of our areas of focus, and I 
follow it closely.\13\
---------------------------------------------------------------------------
    \13\ European Commission, ``Data Protection: Rules for the 
Protection of Personal Data Inside and Outside the EU,'' http://
ec.europa.eu/justice/data-protection/reform/files/regulation_oj
_en.pdf.
---------------------------------------------------------------------------
    Europe is the destination for two-thirds of America's digital 
exports,\14\ so naturally we should be concerned when it adopts 
draconian, misguided regulation. Moreover, the region has fallen 
precipitously behind on network investment \15\ by E150.\16\ The 2020 
connectivity goals have been pushed out to 2025. Whereas 20 percent of 
Americans, some 25 million households, have already adopted some kind 
of pre-5G product or service (e.g., Google Home or Amazon Alexia), 
Europeans have yet to make this cultural and technological shift.\17\ 
It makes sense that we should broaden and diversify the market for our 
digital goods and services, as EU, if it continued down the current 
path, will be increasingly incompatible. At the same point, there is 
not a ready market to replace the EU; China wants indigenous 
technology. So we need to pursue a strategy that helps the EU and the 
rest of the world modernize as well as to open China's market. It is 
becoming increasingly difficult for Brussels to maintain the narrative 
that its 20-year attempt to regulate its way to growth and 
competitiveness is working. More Europeans want prosperity than 
protectionism.
---------------------------------------------------------------------------
    \14\ United States International Trade Council. Digital Trade in 
the U.S. and Global Economies, Part 1. 2013 http://www.usitc.gov/
publications/332/pub4415.pdf
    \15\ Roslyn Layton, ``The EU's Broadband Challenge.'' American 
Enterprise Institute. February 19, 2014. http://www.aei.org/
publication/the-european-unions-broadband-challenge/
    \16\ European Investment Bank. ``Restoring EU Competitiveness.'' 
2016 http://www.eib.org/attachments/efs/
restoring_eu_competitiveness_en.pdf
    \17\ Strand Consult. ``American consumers are already buying 5G 
products and services while the EU falls further behind on networks and 
innovation.'' Spring 2018. http://www.strand
reports.com/sw8027.asp
---------------------------------------------------------------------------
    A popular misconception about the GDPR is that it protects privacy; 
it does not. The GDPR is about data protection or more correctly, data 
governance.\18\ The word ``privacy'' appears infrequently in the GDPR, 
only to refer to ``Privacy by Design'' (Article 25), ``Privacy Impact 
Assessment'' (Article 35), the ePrivacy Directive, and the Privacy 
Shield regime. Data protection is a technical issue whereas data 
privacy is a legal one.\19\
---------------------------------------------------------------------------
    \18\ What Is the GDPR?, Evidon (last visited Aug. 25, 2017), 
https://www.evidon.com/education-portal/videos/what-is-the-gdpr/.
    \19\ David Robinson, Data Privacy vs. Data Protection, IPSwitch 
(Jan. 29, 2918), https://blog.ipswitch.com/data-privacy-vs-data-
protection.
---------------------------------------------------------------------------
Harms to consumers, American firms, and competition
    Before entering academe, I had a career in digital marketing in 
Silicon Valley, where I worked with some 2000 American retailers and 
other online companies. In 2010, I was recruited to the European Union 
(EU) because of my analytics-based online marketing skills. Meanwhile 
Brussels began a systematic campaign to dumb down the online experience 
under the guise of ``protecting'' consumers. The ePrivacy Directive 
\20\ or so-called ``cookie law'' launched in 2011, costs EU businesses 
$2.3 billion annually with no relatable benefit.\21\ It is widely 
recognized as a regulatory failure,\22\ detrimental to commerce, and, 
indeed, counterproductive to privacy and data protection.\23\
---------------------------------------------------------------------------
    \20\ EUR-Lex, ``Directive 2002/58/EC of the European Parliament and 
of the Council of 12 July 2002 Concerning the Processing of Personal 
Data and the Protection of Privacy in the Electronic Communications 
Sector (Directive on Privacy and Electronic Communications),'' July 31, 
2002, http://eur-lex.europa.eu/LexUriServ/
LexUriServ.do?uri=CELEX:32002L0058:EN:HTML,
    \21\ Daniel Castro and Alan McQuinn, ``The Economic Cost of the 
European Union's Cookie Notification Policy,'' Information Technology 
and Innovation Foundation, November 6, 2014, https://itif.org/
publications/2014/11/06/economic-cost-european-unions-cookie-
notification-policy.
    \22\ Graham Charlton, ``The EU 'cookie law': what has it done for 
us?'' Econsultancy. August 27, 2014 https://econsultancy.com/blog/
65366-the-eu-cookie-law-what-has-it-done-for-us
    \23\ W. Gregory Voss, ``First the GDPR, Now the Proposed ePrivacy 
Regulation,'' Journal of Internet Law 21, no. 1 (July 25, 2017): 3-11, 
https://ssrn.com/abstract=3008765.
---------------------------------------------------------------------------
    The EU continued promulgating punitive regulation without 
performing regulatory impact analyses of the policies, and ignoring, if 
not rejecting, the mounting empirical evidence that its approach does 
not fulfill the policy goals it promises.\24\ \25\ \26\ \27\ \28\ 
Indeed, when implementing the GDPR, the EU ignored the advice of its 
official research institute on how to create trust in the online 
environment,\29\ notably the importance of consumer education and 
innovation in privacy-enhancing technologies.\30\ After a decade of 
GDPR-type regulations across EU, consumers report only a marginal 
increase in trust online. As of 2017 only 22 percent of Europeans shop 
outside their own country (a paltry increase of 10 percent in a 
decade), suggesting that the European Commission's Digital Single 
Market goals are still elusive.\31\ Moreover, only 20 percent of EU 
companies are highly digitized.\32\ These are primarily large firms. 
Small to medium sized companies invest little to modernize their 
business and market to other EU countries.
---------------------------------------------------------------------------
    \24\ James Hayes,`` `Cookie Law': A Hostage to Fortune?,'' 
Engineering & Technology 7, no.8 (2012): 66-69.
    \25\ Elizabeth Aguirre et al., ``Unraveling the Personalization 
Paradox: The Effect of Information Collection and Trust-Building 
Strategies on Online Advertisement Effectiveness'' Journal of Retailing 
91, no. 1 (2015): 34-49.
    \26\ Ronald Leenes and Eleni Kosta, ``Taming the Cookie Monster 
with Dutch Law--a Tale of Regulatory Failure,'' Computer Law & Security 
Review 31, no. 3 (2015): 317-35.
    \27\ Christina Markou, ``Behavioural Advertising and the New `EU 
Cookie Law' as a Victim of Business Resistance and a Lack of Official 
Determination'' in Data Protection on the Move (Springer Netherlands, 
2016), 213-47.
    \28\ Alan McQuinn and Daniel Castro. ``Why Stronger Privacy 
Regulations Do Not Spur Increased Internet Use.'' ITIF. July 11, 2018 
https://itif.org/publications/2018/07/11/why-stronger-privacy-
regulations-do-not-spur-increased-internet-
use?mc_cid=6ef5636fad&mc_eid=ff7c0376f1
    \29\ Layton, Roslyn, How the GDPR Compares to Best Practices for 
Privacy, Accountability and Trust (March 31, 2017). https://ssrn.com/
abstract=2944358
    \30\ European Union Agency for Network and Information Security. 
``Privacy, Accountability and Trust-Challenges and Opportunities.'' 
February 18, 2011. https://www.enisa.europa.eu/publications/pat-study
    \31\ European Commission Report. ``Use of Internet Services'', 
2018. http://ec.europa.eu/information_society/newsroom/image/document/
2018-20/3_desi_report_use_of_internet_services_18E
82700-A071-AF2B-16420BCE813AF9F0_52241.pdf
    \32\ European Commission Report. ``Integration of Digital 
Technology''. 2018. http://ec.euro
pa.eu/information_society/newsroom/image/document/2018-20/
4_desi_report_integration_of_
digital_technology_B61BEB6B-F21D-9DD7-72F1FAA836E36515_52243.pdf
---------------------------------------------------------------------------
    There is extensive evidence that shows that a flexible, innovation-
based approach yields software and systems that are better designed to 
protect data and privacy and that empower enterprises to operate with 
data protection as a competitive parameter.\33\ The International 
Association of Privacy Professionals' survey of privacy practices of 
800 enterprises around the world found that traditionally less 
regulated industries have more advanced privacy practices than highly 
regulated industries, which conform only to regulatory 
requirements.\34\ Nevertheless the EU has continued its misguided 
approach with the GDPR, promulgating 17 invented rights, 35 new 
responsibilities for bureaucrats, and 45 specific regulations for 
enterprises.
---------------------------------------------------------------------------
    \33\ Kenneth A. Bamberger and Deirdre K. Mulligan, Privacy on the 
Ground: Driving Corporate Behavior in the United States and Europe 
(2015).
    \34\ IAPP-EY Annual Privacy Governance Report 2015, IAPP (2015), 
https://iapp.org/resources/article/iapp-ey-annual-privacy-governance-
report-2015-2/.
---------------------------------------------------------------------------
    Following is a snapshot of the American media, retailers, software, 
and other companies that are no longer accessible in the EU since May 
25, when the GDPR went into effect. This is by no means a comprehensive 
review. Notably people experienced their personal inboxes being flooded 
with GDPR compliance e-mails or consent requests attempt to comply with 
the GDPR, but apparently many of these communications are illegal under 
the GDPR.\35\
---------------------------------------------------------------------------
    \35\ Alex Hern, Most GDPR E-mails Unnecessary and Some Illegal, Say 
Experts, The Guardian (May 21, 2018), https://www.theguardian.com/
technology/2018/may/21/gdpr-e-mails-mostly-unnecessary-and-in-some-
cases-illegal-say-experts.
---------------------------------------------------------------------------
    There is no access to Tronc Media, whose flagships newspapers 
include the Los Angeles Times, Chicago Tribune, New York Daily News, 
Hartford Courant (America's longest running newspaper since 1764), 
Orlando Sentinel, and the Baltimore Sun.\36\ Access is not available to 
more than 60 newspapers of Lee Enterprises covering news across 20 
states including Illinois, Indiana, Minnesota, Missouri, Montana, 
Nebraska, Nevada, Washington, and Wisconsin.\37\
---------------------------------------------------------------------------
    \36\ Alanna Petroff. CNN Money. ``LA Times takes down website in 
Europe as privacy rules bite.'' May 25, 2018. https://money.cnn.com/
2018/05/25/media/gdpr-news-websites-la-times-tronc/index.html
    \37\ Roslyn Layton (@Roslyn Layton), ``Alas, from the EU I can't 
read @CapTimes and 60 other newspapers across 20 stats in the Lee 
Enterprises group because of the #GDPR. Freedom and First Amendment 
R.I.P.,'' July 26, 2018, 9:47 a.m., https://twitter.com/RoslynLayton/
status/1022508758252113920.
---------------------------------------------------------------------------
    Blocked media is not only a problem for the one million Americans 
who live in the EU and can no longer read news and information about 
their hometowns, but for Europeans who wish to learn more about the 
U.S. from direct sources rather than the state-owned media, which 
dominate the press and broadcasting in most EU countries. To access the 
internet, Europeans must pay a government media license fee on top of 
their broadband subscription. The penalty for failing to pay is 
imprisonment.\38\
---------------------------------------------------------------------------
    \38\ Roslyn Layton and Michael Horney, ``Innovation, Investment, 
and Competition in Broadband and the Impact on America's Digital 
Economy,'' Mercatus Center, August 12, 2014, 10, https://
www.mercatus.org/publication/innovation-investment-and-competition-
broadband-and-impact-america-s-digital-economy.
---------------------------------------------------------------------------
    It is not just the American media oulets which are down but their 
advertisers. Given the scope of Google's advertising platform and its 
affiliates on syndicated networks, its compliance to the GDPR has 
caused ripple effects in ancillary markets. Independent ad changes 
noted prices plummeting 20 to 40 percent.\39\ Some advertisers report 
being shut out from exchanges.\40\ The GDPR's complex and arcane 
designations for ``controllers'' and ``processors'' can ensnare third 
party chip makers, component suppliers, and software vendors which have 
never interfaced with end users, as European courts have ruled that any 
part of the ecosystem could be liable for data breaches.\41\
---------------------------------------------------------------------------
    \39\ Jessica Davies, `The Google Data Protection Regulation': GDPR 
is Strafing Ad Sellers, Digiday (June 4, 2018), https://digiday.com/
media/google-data-protection-regulation-gdpr-stra
fing-ad-sellers/.
    \40\ Catherine Armitage. World Federation of Advertisers. July 10, 
2018. https://www.wfanet
.org/news-centre/life-after-gdpr-what-next-for-the-advertising-
industry/
    \41\ https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/
?uri=CELEX:62016CJ0210&qid
=1531145885864&from=EN
---------------------------------------------------------------------------
    Many American retailers, game companies, and service providers no 
longer sell in the EU. The websites of Williams-Sonoma and Pottery Barn 
are dark.\42\ The online experience of scores of other American 
retailers is now polluted with pop-ups and disclosures, prompting many 
customers to click away. Verve, a leading mobile marketing platform 
with offices in 6 U.S. cities, closed its European operation in advance 
of GDPR, impacting 15 EU employees.\43\ Valve, an award-winning video 
game maker company in Bellevue, Washington, shut down an entire game 
community rather than invest in GDPR compliance,\44\ similalry for Uber 
Entertainment in nearby Kirkland, WA, which shut down one of its most 
popular games entirely after a 6 year run because upgrading the 
platform to GDPR was too expensive.\45\ California-based Gravity 
Interactive no longer offers games in the EU and refunded its European 
customers.\46\ The Las Vegas-based Brent Ozar Unlimited offering a 
range of information technology and software support services stopped 
serving the EU.\47\ Even the website of the Association of National 
Advertisers is not available.\48\
---------------------------------------------------------------------------
    \42\ Roslyn Layton (@Roslyn Layton), ``More #GDPR casualties. 
@WilliamsSonoma group no longer selling in EU including @potterybarn 
@PotteryBarnKids @potterybarnteen etc. I can't even access recipes. 
@caprivacyorg do you really want to shut down this great SF company 
with your misguided approach?,'' July 9, 2018, 3:10 a.m., https://
twitter.com/RoslynLayton/status/1016248093547945984.
    \43\ Ronan Shields. ``Verve to focus on U.S. growth as it plans 
closure of European offices ahead of GDPR.'' April 18, 2018. https://
www.thedrum.com/news/2018/04/18/verve-focus-us-growth-it-plans-closure-
european-offices-ahead-gdpr
    \44\ Steam, ``Super Monday Night Combat,'' https://
steamcommunity.com/app/104700/all
news/.
    \45\ Owen Good. ``Super Monday Night Combat will close down, citing 
EU's new digital privacy law.'' Polygon. April 28, 2018. https://
www.polygon.com/2018/4/28/17295498/super-monday-night-combat-shutting-
down-gdpr
    \46\ Warportal, ``Important Notice Regarding European Region 
Access,'' http://blog.warp
portal.com/?p=10892.
    \47\ Brent Ozar, ``GDPR: Why We Stopped Selling Stuff to Europe,'' 
December 18, 2017, https://www.brentozar.com/archive/2017/12/gdpr-
stopped-selling-stuff-europe/.
    \48\ Roslyn Layton (@Roslyn Layton), ``Blocked again by #GDPR. 
Thanks a lot @JanAlbrecht @EU_EDPS. Who needs to use the Internet to 
read blogs and get information anyway? Government censorship parading 
as privacy and data protection. Sorry @ANAGovRel,'' June 7, 2018, 4:30 
a.m., https://twitter.com/RoslynLayton/status/1004671815426478081.
---------------------------------------------------------------------------
    If we adopted such a measure in the US, it would likely violate the 
freedom of speech, as the government requirements are so onerous that 
they limit expression. As such, we should be weary of California's 
privacy effort, which bills itself as an American version of the 
GDPR.\49\ Indeed the GDPR's asserted jurisidiction outside the EU may 
be illegal.\50\
---------------------------------------------------------------------------
    \49\ Roslyn Layton, ``Privacy Regulation Insanity: Making the Same 
Rules and Expecting a Different Outcome,'' AEIdeas, June 21, 2018, 
http://www.aei.org/publication/privacy-regulation-insanity-making-the-
same-rules-and-expecting-a-different-outcome/.
    \50\ Kurt Wimmer. Free Expression and Privacy: Can New European 
Laws Reach U.S. Publishers? Media Institute. November 9, 2017 https://
www.mediainstitute.org/2017/11/09/free-expression-and-privacy-can-new-
european-laws-reach-u-s-publishers/
---------------------------------------------------------------------------
    To comply with the GDPR, firms of 500 employees or more will likley 
have to spend between $1 and $10 million.\51\ With over 19,000 \52\ 
U.S. firms of this size, total GDPR compliance costs for this group 
could reach $150 billion, twice the U.S. spend on network investment 
\53\ or one-third of the annual ecommerce revenue in the USA.\54\ Hosuk 
Lee-Makiyama calculates that the GDPR's requirements on cross-border 
trade flows will increase prices, amounting to a direct welfare loss of 
E260 per European citizen.\55\ The net effect is that those companies 
that can afford to will comply; the rest will exit. Hence the GDPR 
becomes a barrier to market entry, punishing small firms, rewarding the 
largest players, and enuring regulators into a codependent relationship 
with the firms they regulate. This is a perverse outcome for a 
regulation promised to level the playing field on data protection.
---------------------------------------------------------------------------
    \51\ PricewaterhouseCoopers, ``GDPR Compliance Top Data Protection 
Priority for 92 percent of U.S. Organizations in 2017, According to PwC 
Survey,'' January 23, 2017, https://www
.pwc.com/us/en/press-releases/2017/pwc-gdpr-compliance-press-
release.html.
    \52\ U.S. Census Bureau, ``2015 SUSB Annual Data Tables by 
Establishment Industry,'' January 2018, https://www.pwc.com/us/en/
press-releases/2017/pwc-gdpr-compliance-press-release.html.
    \53\ Jonathan Spalter, ``Broadband CapEx Investment Looking Up in 
2017,'' USTelecom, July 25, 2018, https://www.ustelecom.org/blog/
broadband-capex-investment-looking-2017.
    \54\ US Census Bureau, ``Quarterly Retail E-Commerce Sales 1st 
Quarter 2018,'' May 17, 2018, https://www.census.gov/retail/mrts/www/
data/pdf/ec_current.pdf.
    \55\ Lee-Makiyama, Hosuk, ``The Political Economy of Data: EU 
Privacy Regulation and the International Redistribution of Its Costs,'' 
in Protection of Information and the Right to Privacy-A New 
Equilibrium? (Springer International Publishing, 2014), 85-94. This 
methodology is expanded in Erik Van der Marel et al., ``A Methodology 
to Estimate the Costs of Data Regulations,'' International Economics 
146 (2016): 12-39.
---------------------------------------------------------------------------
    Moreover, the GDPR is fundamentally incompatible with Big Data, 
artificial intelligence, and machine learning with its specific 
regulation for purpose specification, data minimization, automated 
decisions and special categories.\56\ Some of the most important 
scientific advances have been the result of processing disparate sets 
of information in inventive ways, ways that neither subjects nor 
controllers anticipated, let alone requested. Consider the definitive 
study on whether the use of mobile phones causes brain cancer.\57\ The 
Danish Cancer Society analyzed the entire population of Denmark born 
since 1925 by processing social security numbers, mobile phone numbers, 
and the National Cancer Registry which records every incidence of 
cancer by social security number. The study is the most comprehensive 
investigation proving that the use of mobile phones is not correlated 
with brain cancer.
---------------------------------------------------------------------------
    \56\ Tal Z. Zarsky, ``Incompatible: The GDPR in the Age of Big 
Data,'' Seton Hall Law Review 47, no. 4 (2017): 2.
    \57\ Use of mobile phones and risk of brain tumours: update of 
Danish cohort study. BMJ 2011; 343 doi: https://doi.org/10.1136/
bmj.d6387 (Published 20 October 2011)
---------------------------------------------------------------------------
    Security concerns have also emerged. As AEI's Internet governance 
expert Shane Tews declares, ``The right to be forgotten is pitted 
against the right to be informed.'' \58\ A key example is WHOIS, the 
query and response protocol use to identify those who register domain 
names is threatened to be masked under the GDPR. Law enforcement, 
cybersecurity professionals and researchers, and trademark and 
intellectual property rights holders have a vital interest in the 
transparency of WHOIS.\59\ ``The publicly available data that is used 
to inform threat intelligence networks, find bad actors, and block them 
from accessing networks will no longer be available under the GDPR,'' 
she warns.\60\ The situation harkens back to a key fallacy of so-called 
privacy activists who attempted to block the rollout of caller ID 
because it violated the privacy rights of intrusive callers.\61\ Today 
we agree that the receivers right to know who is calling is prioritized 
over the caller.
---------------------------------------------------------------------------
    \58\ Shane Tews, ``Privacy and Europe's data protection law: 
Problems and implications for the US''. AEI.org May 8, 2018. http://
www.aei.org/publication/privacy-and-europes-data-protection-law-
problems-and-implications-for-the-us/
    \59\ Shane Tews. ''How European data protection law is upending the 
Domain Name System.'' American Enterprise Institute. February 26, 2018. 
https://www.aei.org/publication/how-european-data-protection-law-is-
upending-the-domain-name-system/
    \60\ Supra Tews May 2018
    \61\ See Justin ``Gus'' Hurwitz and Jamil N. Jaffer, ``Modern 
Privacy Advocacy: An Approach at War with Privacy Itself?, Regulatory 
Transparency Project of the Federalist Society,'' June 12, 2018, 
https://regproject.org/paper/modern-privacy-advocacy-approach-war-
privacy/.
---------------------------------------------------------------------------
Global jurisdiction, selective enforcement
    In a press conference about the GDPR,\62\ Jan Phillip Albrecht,\63\ 
Green Party parliamentarian and ``father of the GDPR,'' assured that 
GDPR investigations would not focus on small to medium enterprises but 
instead ``will concentrate on the bigger ones that pose a threat to 
many consumers.'' He noted that firms ``already for quite a time now 
are under suspicion of not complying with European data protection 
rules'' and that they ``have been on their screen for years [and] will 
be the first to be looked at.'' He indicated that it could be two years 
before cases are resolved given the process for investigation, 
adjudication, and appeal. Industry observers suggest that U.S. data 
brokers (e.g., Axciom, Datalogix, and Equifax) will also be targeted, 
as well as the auto, pharma, and health care industries.\64\
---------------------------------------------------------------------------
    \62\ European Parliament, Press Conference by Jan Philipp Albrecht, 
last visited June 24, 2018, https://multimedia.europarl.europa.eu/en/
albrecht-general-data-protection-regulation_I155149-A_ra.
    \63\ Jan Philipp Albrecht, Auf zu neuen Ufern: Minister fur 
Digitales und Draußen, (Mar. 3, 2018), https://
www.janalbrecht.eu/2018/03/auf-zu-neuen-ufern/ (Albrecht noted that he 
will not run for reelection in the European Parliament in 2018 but take 
a position as Minister of Digital and Outdoors in the German province 
of Schleswig-Holstein where he hopes to shape climate and agricultural 
policy and EU relations).
    \64\ Laurens Cerulus and Mark Scott, ``Who Stands to Lose the Most 
from Europe's New Privacy Rules,'' Politico, May 23, 2018, https://
www.politico.eu/article/the-gdpr-hit-list-who-stands-to-lose-from-
europes-new-privacy-rules-facebook-google-data-protection/.
---------------------------------------------------------------------------
    If smaller companies are trying in good faith to comply with the 
GDPR, it would be disproportionate to sanction them, Albrecht said, 
noting that data protection authorities (DPAs) would more likely assist 
them to become compliant. While the GDPR automatically supersedes 
national law, only 4 of the 28-member states (Austria, Germany, 
Slovakia, and Sweden) have completed the formal process to update their 
local laws to align with the GDPR. If one country rules in a case in 
its own court, it can be overruled by a majority of the EU nations.
    Albrecht argues that enforcement should prioritize the companies 
that have been on regulators' radar. But if the regulators already know 
which companies are causing problems, why require every data processor 
that serves Europeans to comply with preventative regulations? It could 
be part of a ``make-work'' strategy to keep Europe's 62 privacy and 
data protection authorities in business and create jobs for some 75,000 
privacy professionals \65\ as data protection officers in firms--
another GDPR requirement.
---------------------------------------------------------------------------
    \65\ Rita Heimes and Sam Pfeifle, Study: GDPR's Global Reach to 
Require at Least 75,000 DPO's Worldwide, Int'l Assoc. of Privacy 
Professionals, https://iapp.org/news/a/study-gdprs-global-reach-to-
require-at-least-75000-dpos-worldwide/.
---------------------------------------------------------------------------
    Interestingly, Albrecht defends selective enforcement. While the 
GDPR's stated goal is to make a common standard for every firm, the 
real goal is to discipline large American firms. This is enabled by the 
GDPR's enumerated rights of representation, judicial remedy, and 
compensation, all of which form the basis for regulation by class 
action. Activists are encouraged to create nonprofit organizations,\66\ 
lodge complaints,\67\ and collect damages on behalf of users.\68\ 
Importantly, GDPR complaints cover not just actual injury or harm--
which would be required for a class action in U.S. Federal court--but 
failure to comply with regulation, even if no harm results. While class 
actions can offer consumers a convenient, effective remedy for harm, 
violation, and noncompliance, they can also be abused by unscrupulous 
lawyers and activists seeking to bypass democratic policymaking 
procedures.\69\ By legitimizing regulation by class action in the GDPR, 
the EU creates an incentive for legal abuse. Historically, Europe has 
largely eschewed ``US-style'' class actions, noting that they 
disproportionately reward lawyers over consumers.\70\ However, policy 
entrepreneurs have engineered the GDPR so that privacy activists can 
bring cases without overcoming legal barriers of standing and 
jurisdiction--safeguards that help preclude the abuse of the legal 
system for private gain.
---------------------------------------------------------------------------
    \66\ ``The Right of Data Subjects to Mandate a Not-for-Profit Body, 
Organisation, or Association,'' GDPR Recital 142.
    \67\ ``The Right of Data Subjects to Mandate a Not-for-Profit Body, 
Organisation, or Association,'' GDPR Recital 141.
    \68\ ``The Right of Data Subjects to Mandate a Not-for-Profit Body, 
Organisation, or Association,'' GDPR Recital 143.
    \69\ Martin H. Redish, Wholesale Justice: Constitutional Democracy 
and the Problem of the Modern Class Action, Northwestern University, 
2009.
    \70\ Redish, Wholesale Justice, 32.
---------------------------------------------------------------------------
    Notably Albrecht, European Commission representative Paul Nemitz, 
and American nonprofit Electronic Privacy Information Center (EPIC) all 
sit on the board of None of Your Business,\71\ a nonprofit founded 
under the auspices of the GDPR by Austrian privacy activist Max Schrems 
to bring complaints against American firms. Just seven hours after the 
GDPR came into effect, it filed complaints against Google and Facebook 
demanding $8.8 billion in damages.\72\
---------------------------------------------------------------------------
    \71\ Noyb, ``Executive Board,'' https://noyb.eu/team.
    \72\ Layton, ``Privacy Regulation Insanity.''
---------------------------------------------------------------------------
    Schrems' 2013 lawsuit against Facebook single-handedly torpedoed 
the 15 year old, transatlantic Safe Harbor agreement that processed the 
data of 4,400 firms, some $250 billion annually.\73\ Indeed Schrems' 
lawsuits are referenced in the brinkmanship of European Parliament, a 
resolution to end the faithfully negotiated Privacy Shield by September 
1, 2018 if the U.S. does not submit to its demands.\74\ Many privacy 
activists are fueled by post-Snowden animus for the U.S. Government and 
could organize a GDPR complaint against a U.S. Federal agency with data 
from European subjects. We already see the automation of complaints--
using technology to spam data protection authorities and firms with 
thousands, if not millions, of complaints at once.\75\ Indeed 
government agencies may be the some of the most vulnerable entities 
under the GDPR.
---------------------------------------------------------------------------
    \73\ Roslyn Layton, ``Europe's Protectionist Privacy Advocates,'' 
Wall Street Journal, March 9, 2016, https://www.wsj.com/articles/
europes-protectionist-privacy-advocates-1457566423.
    \74\ European Parliament, ``Motion for a Resolution,'' June 26, 
2018, http://www.europarl
.europa.eu/sides/getDoc.do?type=MOTION&reference=B8-2018-
0305&language=EN.
    \75\ Privateidentitycontrol.com, ``Retrieve the Right to Your Own 
Identity. Simple and Smooth!,'' https://
www.privateidentitycontrol.com/.
---------------------------------------------------------------------------
    In addition to these concerns, there are legal and administrative 
issues. The GDPR assumes that regulatory authorities have more 
information than consumers and firms and therefore know better how to 
order transactions in the marketplace.\76\ All the same, the GDPR 
imposes massive new responsibility on regulators without a concurrent 
increase in training or funding.\77\ EU data supervisors must wear many 
hats, including ``ombudsman, auditor, consultant, educator, policy 
adviser, negotiator, and enforcer.'' \78\ Furthermore, the GDPR widens 
the gap between the high expectations for data protection and the low 
level of skills possessed by data supervisors charged with its 
implementation.\79\ There are certainly many talented individuals among 
these ranks, but the mastery of information communication technologies 
varies considerably among these professionals, especially as each 
nation's data protection authority is constituted differently.
---------------------------------------------------------------------------
    \76\ See generally F.A. Hayek, Economics and Knowledge (1937); F.A. 
Hayek, The Use of Knowledge in Society (1945).
    \77\ Douglas Busvine, Julia Firoretti, and Mathieu Rosemain, 
``European Regulators: We're Not Ready for New Privacy Law,'' Reuters, 
May 8, 2018, https://www.reuters.com/article/us-europe-privacy-
analysis/european-regulators-were-not-ready-for-new-privacy-law-
idUSKBN1I915X.
    \78\ Colin J. Bennett and Charles Raab, The Governance of Privacy: 
Policy Instruments in Global Perspective (2006).
    \79\ Charles D. Raab and Ivan Szekely, Data Protection Authorities 
and Information Technology, Computer L. & Sec. Rev. (forthcoming), 
https://ssrn.com/abstract=2994898.
---------------------------------------------------------------------------
    While the GDPR's purported goal is to ensure ``fundamental 
rights,'' relatively few European users are aware of it. A UK survey 
found that 34 percent of respondents recognized the law, and even fewer 
knew what it covered.\80\ Europeans' dissatisfaction with the EU is 
well documented.\81\ Indeed, voter turnout in European Parliament 
elections dwindled from 62 percent in 1979 to just 42 percent in 
2014.\82\ This environment is conducive for the collective action \83\ 
of organized special interests to win over the diffuse majority. 
Essentially privacy advocates have effectively forced citizens' consent 
to heavy-handed data regulation in spite of public opinion,\84\ which 
seems to favor a more nuanced approach to privacy and data protection 
over the sledgehammer of the GDPR.
---------------------------------------------------------------------------
    \80\ Kirsty Cooke, ``Kantar--Data Shows Awareness of GDPR Is Low 
amongst Consumers,'' March 27, 2018, https://uk.kantar.com/public-
opinion/policy/2018/data-shows-awareness-of-gdpr-is-low-amongst-
consumers/.
    \81\ ``Europe's Pressure Points,'' AEI, January 17, 2017, http://
www.aei.org/feature/europes-pressure-points/.
    \82\ ``Turnout 2014--European Parliament,'' European Parliament, 
accessed July 27, 2018, http://www.europarl.europa.eu/elections2014-
results/en/turnout.html.
    \83\ Mancur Olson, The Logic of Collective Action. Harvard 
University Press, January 1971, http://www.hup.harvard.edu/
catalog.php?isbn=9780674537514.
    \84\ Roslyn Layton, ``How the GDPR Compares to Best Practices for 
Privacy, Accountability and Trust,'' SSRN Scholarly Paper March 31, 
2017, https://papers.ssrn.com/abstract=2944358.
---------------------------------------------------------------------------
Conflicting visions of rights and freedoms
    Aside from these legal quagmires, the U.S. should not adopt the 
EU's approach because our notions of privacy come from fundamentally 
different perspectives. America was founded on the idea that human 
beings are born with natural rights, such as the rights to life and 
liberty. These rights are inviolable, God-given, and independent on the 
laws and customs of the country and, thus, cannot be repealed or 
restrained by human laws. Natural rights make no demands on others 
except that they respect those rights. This has been codified in our 
Constitution and confirmed with over two centuries of case law. Natural 
rights should be distinguished from human rights, which are moral 
principles or norms to describe standards of human behavior.
    The EU approach, which only came into being in this century, is 
rather a Johnny-come-lately with the concept of privacy rights bestowed 
by government and a legal system, and thus can be modified, repealed, 
and restrained by government. The GDPR, a legal or government-granted 
right, makes specific demands of others (e.g., demanding how data 
processors must govern data).
    The main authority for privacy enforcement in the U.S. is 15 USC 
Sec. 45, which charges the Federal Trade Commission (FTC) with 
preventing ``unfair methods of competition in or affecting commerce and 
unfair or deceptive acts or practices in or affecting commerce.'' \85\ 
The FTC took up some 200 cases in 2017 alone.\86\ In matters of 
privacy, the FTC's role is to enforce privacy promises made in the 
marketplace. Whereas the GDPR assumes that any data collection is 
suspect, the FTC focuses its enforcement efforts on sensitive 
information that should be protected against unwarranted disclosure. 
This helps avoid imposing costly and draconian compliance mandates on 
entities that are not a priori threats to personal privacy, such as 
personal blogs, nonprofit organizations, or informational websites. The 
FTC's approach seeks to allocate scarce regulatory resources to prevent 
the greatest threats to online privacy. To be sure, if a small entity 
behaves in an unfair or deceptive way, it can be prosecuted, but the 
FTC does not assume that every entity wants to harm online users. 
Additional laws form the foundation on which the FTC carries out this 
charge including the Privacy Act of 1974,\87\ the Gramm-Leach-Bliley 
Act,\88\ the Fair Credit Reporting Act,\89\ and the Children's Online 
Privacy Protection Act.\90\
---------------------------------------------------------------------------
    \85\ 15 USC Sec. 45 (2012).
    \86\ Federal Trade Commission, ``Privacy & Data Security Update: 
2017,'' January 2017-December 2017, https://www.ftc.gov/system/files/
documents/reports/privacy-data-security-update-
2017-overview-commissions-enforcement-policy-initiatives-consumer/
privacy_and_data_security
_update_2017.pdf.
    \87\ 5 USC Sec. 552a.
    \88\ 15 USC Sec. Sec. 6801-6809.
    \89\ 15 USC Sec. 1681 et seq.
    \90\ 15 USC Sec. Sec. 6501-6506.
---------------------------------------------------------------------------
    The current vogue of normative models for data protection such as 
the GDPR demonstrate the danger of ``privacy overreach,'' in which the 
drive to protect privacy becomes absolute, lacks balance with other 
rights, and unwittingly brings worse outcomes for privacy and data 
protection.\91\ The pace of privacy and data protection law is 
significantly faster than other laws, leading one scholar to suggest 
that it threatens to upend the balance with other fundamental 
rights.\92\
---------------------------------------------------------------------------
    \91\ Supra Hurwitz
    \92\ See Maja Brkan, The Unstoppable Expansion of the EU 
Fundamental Right to Data Protection, Maastricht Journal of European 
and Comparative Law 23, no. 5 (2016): 23, http://journals.sagepub.com/
doi/abs/10.1177/1023263X1602300505?journalCode=maaa.
---------------------------------------------------------------------------
    The principle of rational, limited government protects us against 
the Kafkaesque bureaucratization of regulation in which government 
agencies enshrine themselves in power in the name of protecting 
citizens. Totalitarian regimes are built on the premise that power must 
be increasingly centralized to ensure individual freedom. Every senator 
on the dais knows what it means to be responsible to the people. Both 
sides of the aisle and both houses of this Congress care deeply about 
the issues of privacy and data protection and have attempted to address 
them in a thoughtful way, respecting the rule of law and individual 
freedoms, notably Sen. Klobuchar (D-MN) with her bill.\93\
---------------------------------------------------------------------------
    \93\ Social Media Privacy Protection and Consumer Rights Act of 
2018, https://www.congress
.gov/bill/115th-congress/senate-bill/2728/text.
---------------------------------------------------------------------------
    Indeed, there are conflicting visions within the EU itself about 
which elements of data protection are valuable. A study of Polish 
university students' monetary valuation of specific GDPR provisions 
using stated preference discrete choice experiments highlights the 
enormous gap between research and policy.\94\ Researchers estimate that 
users are willing to pay =6.5/month for a subset of GDPR provisions, 
notably =1.4/month for erasure and =0.80/month not to be profiled. 
Interestingly while data portability is valued by policymakers, it was 
not valued by students. The study also suggests that users could value 
data protection differently at different points in time and depending 
on the application used.
---------------------------------------------------------------------------
    \94\ Sabolewski, Maciej and Palinski Michal. How much consumers 
value on-line privacy? Welfare assessment of new data protection 
regulation (GDPR). International Telecommunications Society Conference, 
Passau. July 31, 2017
---------------------------------------------------------------------------
    If users are willing to pay for specific data protection services, 
why not allow companies to charge for such services or align their 
business models based upon their specific consumer preferences? Instead 
the GPDR increases the cost across the board without meaningfully 
addressing individual preferences. By requiring all companies to 
implement such rules, the EU reduces competitive parameters by forcing 
companies to evolve when the market would otherwise make them obsolete. 
Informed policy would use randomized controlled trials to find which 
set of preferences is most valued and efficient. Simply put, the 17 
enumerated ``rights'' represents the wish list of activists, not the 
evidenced-based request of citizens.
Challenging the GDPR as an Illegal Trade Barrier
    We should recognize the GDPR for what it is--a standards war--and 
make the appropriate response. For years Europe has fallen behind in 
the digital economy. It continues to watch the US, and increasingly 
China, capture the world market for Internet innovation and revenue. So 
rather than compete on making better Internet products and services, 
the EU competes on regulatory standards. While the EU claims that the 
GDPR regulates data processing for ``mankind,'' its motives are 
geopolitical, not humanitarian.\95\ While the GDPR's supporters claim 
its benefit for ``everyone'', only a select few were involved in its 
development. Non-Europeans were never consulted on this legislation, 
nor were they able to vote on its passage. Moreover, the European 
Parliament didn't consult with global institutions or multistakeholder 
group before making the GDPR.
---------------------------------------------------------------------------
    \95\ GDPR Paragraph 4
---------------------------------------------------------------------------
    The EU made a similar gambit for world dominance in mobile 
standards by forcing the adoption of 3G/GSM, hoping to trounce the 
code-division multiple access (CDMA) platform that American operators 
had invested in. For a time, the strategy gave the European mobile 
industry (including its six phone manufacturers) a leg up, but the U.S. 
jumped ahead to 4G and became the world leader in mobile. We should not 
copy the GDPR but rather leapfrog it with a better approach to data 
protection.\96\
---------------------------------------------------------------------------
    \96\ Roslyn Layton, ``Four Ways the U.S. Can Leapfrog the EU on 
Online Privacy,'' AEIdeas, May 22, 2018, http://www.aei.org/
publication/four-ways-the-us-can-leapfrog-the-eu-on-online-privacy/.
---------------------------------------------------------------------------
    The EU's GDPR is a form of mercantilism, an economic policy 
promoting government regulation of the economy to augment state power 
at the expense of rival nations. It was widely practiced in Europe from 
the 16-18th century and led to colonial expansion as well as war. 
Mercantilism is the opposite of the American system, the classic 
political economy.\97\ The GDPR likely violates the World Trade 
Organization and the Information Technology Agreement and should be 
challenged as such.\98\
---------------------------------------------------------------------------
    \97\ Lars Magnusson, Mercantilism: The Shaping of an Economic 
Language. Routledge, 2015.
    \98\ Julie A. Hedlund and Robert D. Atkinson. ``The Rise of the New 
Mercantilists: Unfair Trade Practices in the Innovation Economy.'' 
ITIF, June 2007. http://www.itif.org/files/ITMer
cantilism.pdf
---------------------------------------------------------------------------
    Based on the scientific evidence, the keys to improving trust 
online are consumer education and incentives for innovation in privacy 
enhancing technologies. These topics have little to no mention in the 
GDPR and represent the path for the U.S. to develop a superior 
approach.
Leapfrogging the GDPR
    Consumer Education
    While the GDPR claims to empower people, it offers nothing in the 
way to empower people to educate themselves about how to engage online 
responsibly. This is likely on purpose because regulatory advocates 
realize that if people were educated and empowered, they could make 
their own decisions about how to engage with platforms and would not 
require government supervision on their online activities.
    The GDPR perpetuates a fallacy that making consent more explicit 
makes consumers more informed. It is like speaking more loudly to a 
person who speaks another language in the hope that she will better 
understand. The GDPR requires enterprises to make consent ever more 
detailed, burdensome and granular without increasing the user's 
knowledge of the transaction. This creates an increasing chasm between 
consumer empowerment and bureaucratic control.
    Public choice theory also suggests that the EU data supervisors' 
preferences are not necessarily aligned with the ``public interest,'' 
what is best for European welfare in the long run. Increasing user 
knowledge and the quality of data protection technology could 
legitimately make people better off, but it could also render 
regulators less important. While data supervisors will not necessarily 
reject policies that improve user knowledge and technology design, it 
is in their interest to promote inputs that increase their own 
resources and legitimacy in conducting compliance and adjudication.
    As my research details, the EU's official statistics, the 
Eurobarometer, notes that more than half of all Europeans fail to 
practice basic privacy-enhancing behaviors.\99\ This situation is ripe 
for improvement and represents a classic example of how consumer 
education can improve outcomes better, more quickly, and at a lower 
cost than regulation. Indeed, the first principle of consumer education 
in data protection, buyer beware, is the first principle for how 
citizens should protect themselves in cyberthreats in Michael 
Chertoff's new book on cybersecurity: ``Be mindful of what data you 
transmit and what you connect to your own network.'' \100\ He also 
recommends practicing cyber hygiene, taking advantage of layered 
cybersecurity technology, and to outsmart scams with a phone call. 
Consumers need to practice the same kind of vigilance and personal 
responsibility in cybersecurity as they do in the data protection 
domain. Outsourcing the job to bureaucrats will not cut it.
---------------------------------------------------------------------------
    \99\ See Roslyn Layton, How the GDPR Compares to Best Practices for 
Privacy, Accountability, and Trust, at 14 (Mar. 31, 2018), https://
papers.ssrn.com/sol3/papers.cfm?abstract_id=2944358.
    \100\ Michael Chertoff. Exploding Data: Reclaiming Our Cyber 
Security in the Digital Age. Atlantic Monthly Press, 2018.
---------------------------------------------------------------------------
    Several private and public organizations have outlined the role of 
consumer education in online privacy more than a decade ago, but these 
assets were purposely ignored by the European Parliament in crafting 
the legislation. Notably, the Organisation for Economic Co-operation 
and Development (OECD) published a study on Consumer Education for 
Digital Competence.\101\ Key learning points include:
---------------------------------------------------------------------------
    \101\ Organisation for Economic Co-operation and Development, 
``Consumer Education Policy Recommendations of the OECD'S Committee on 
Consumer Policy,'' 2009, http://www.oecd.org/sti/consumer/44110333.pdf.

   Linking the concept of digital competence with critical 
---------------------------------------------------------------------------
        thinking on technology and the media;

   Educating to provide a basis for developing an understanding 
        of the structures and conceptual relationships understanding 
        digital media (e.g., functioning of online market, e-commerce 
        marketing techniques, and user tools);

   Learning the how and why of protecting personal information 
        when using digital media;

   Using media to promote the education of digital competence 
        in compelling ways (e.g., games, videos, blogs, and virtual 
        worlds);

   Age-appropriate education;

   Implementing teacher training; and

   Strengthening multi-stakeholder cooperation to create 
        educational partnerships.

    The OECD also published a book to describe prevailing consumer 
education practices across the member nations, including the 
institutional frameworks and policy evaluation tools.\102\ For example, 
in the U.S.., the ``Teaching Privacy Curriculum'' by Serge Egelman et 
al., offers interactive instruction on 10 principles of online privacy 
over three weeks in a university setting, a method which has also 
proved effective to educate and empower users to manage their 
privacy.\103\
---------------------------------------------------------------------------
    \102\ Organisation for Economic Co-operation and Development, 
``Promoting Consumer Education: Trends, Policies and Good Practices--
OECD,'' March 2009, http://www.oecd.org/sti/consumer/
promotingconsumereducationtrendspoliciesandgoodpractices.htm#howto.
    \103\ Serge Egelman et al., ``The Teaching Privacy Curriculum,'' 
2016, 591-96.
---------------------------------------------------------------------------
Innovation in Privacy-Enhancing Technology
    The second area with only limited discussion in the GDPR is the 
role of privacy-enhancing technology. In its report ``Privacy Enhancing 
Technologies: Evolution and State of the Art,'' the European Union 
Agency for Network Information and Security (ENISA, now called the 
Cybersecurity Agency) describes privacy-enhancing technologies (PETs) 
as ``a system of ICT measures protecting informational privacy by 
eliminating or minimizing personal data thereby preventing unnecessary 
or unwanted processing of personal data, without the loss of the 
functionality of the information system.'' \104\ The ENISA report 
describes a wealth of technologies, but the GDPR only mentions two: 
encryption/pseudonymisation and data minimization.
---------------------------------------------------------------------------
    \104\ European Union Agency for Network and Information Security, 
``Privacy Enhancing Technologies: Evolution and State of the Art--
ENISA,'' March 9, 2017, https://www.enisa.europa.eu/publications/pets-
evolution-and-state-of-the-art.
---------------------------------------------------------------------------
    ENISA's related report ``Privacy and Data Protection by Design'' 
explains privacy enhancing technologies including not only encryption 
but also protocols for anonymous communications, attribute-based 
credentials, and private search of databases in addition to a range of 
strategies of multiple practices that firms can employ.\105\ It 
describes a large body of literature on privacy by design but that its 
implementation is weak and scattered. Indeed, privacy and data 
protection features are relatively new issues for engineers, designers, 
and product developers when implementing the desired functionality. To 
address this, ENISA has stewarded the discussion on how to develop a 
repository of such technologies.
---------------------------------------------------------------------------
    \105\ European Union Agency for Network and Information Security, 
``Privacy and Data Protection by Design--ENISA,'' January 12, 2015, 
https://www.enisa.europa.eu/publications/privacy-and-data-protection-
by-design.
---------------------------------------------------------------------------
    Consider how technology and innovation could create better outcomes 
that prescriptive regulation. The GDPR has extensive reporting, 
auditing, and compliance requirements, necessitating that enterprises 
hire data protection officers and that data protection authorities hire 
workers. These requirements will vastly increase the paperwork created 
and stored in databases, itself a cybersecurity risk. If the goal is to 
ensure that entities are practicing data protection, a better system 
could the audit on demand, or even auditable systems, software which 
exposes the relevant information to those users who are interested, 
like ratings used on peer to peer platforms.
    It could be that because privacy by design technologies are 
nascent, policymakers are reluctant to describe them in further detail, 
though this also contradicts the implicit assumption of the GDPR that 
data supervisors know best. However, the GDPR-chosen approach of 
regulation creates path dependency and inevitable outcomes. It clearly 
puts the thumb on the scale in favor of regulation over innovation.
    Such frameworks can have indirect effects in that firms, concerned 
about inadvertently violating many of the tenets of the regulation and 
facing steep fines, will choose not to innovate. The GDPR's Article 25 
on privacy by design and by default offers little in the way of 
incentives. There is no safe harbor for data processors to experiment 
or to implement new privacy by design technologies, so firms risk 
significant fines if their technologies fail, even if they have an 
entrepreneurial willingness to employ improved technologies.
    A review of the literature on the impacts of economic regulation in 
the information communications technology sector shows a detrimental 
impact of regulation on innovation.\106\ Regulation can create a 
deadweight loss in the economy as resources are diverted to regulatory 
compliance and away from welfare-enhancing innovation. A study across 
all major industries from 1997 to 2010 found that less-regulated 
industries outperformed overregulated ones in output and productivity 
and grew 63 percent more. Overregulation increases barriers to entry 
for entrepreneurs, which slows economic growth.\107\ Moreover, 
regulation can crowd out efforts to create new and better systems.\108\
---------------------------------------------------------------------------
    \106\ Luke Stewart, ``The Impact of Regulation on Innovation in the 
United States: A Cross,'' Information Technology and Innovation 
Foundation, June 2010, 18, http://www.itif.org/files/2011-impact-
regulation-innovation.pdf.
    \107\ Antony Davies, ``Regulation and Productivity,'' Mercatus 
Center, May 7, 2014, https://www.mercatus.org/publication/regulation-
and-productivity.
    \108\ Patrick McLaughlin and Richard Williams, ``The Consequences 
of Regulatory Accumulation and a Proposed Solution / Mercatus,'' 
Mercatus Center, February 11, 2014, http://mercatus.org/publication/
consequences-regulatory-accumulation-and-proposed-solution.
---------------------------------------------------------------------------
    As early as 2010, the International Conference of Data Protection 
and Privacy Commissioners resolved that efforts to promote privacy by 
design needed to be more deeply embedded in policy.\109\ The EU could 
offer grants or rewards for designing better technologies, but those 
approaches were declined in the regulation. Instead the EU freezes in 
time one view of data governance to which all controllers must adhere, 
creating a monolithic attack surface. A better approach is to adopt a 
policy declaring the importance of data protection and allow entities 
to evolve the most salient approaches.
---------------------------------------------------------------------------
    \109\ European Data Protection Supervisor, ``International 
Conference of Data Protection and Privacy Commissioners,'' October 27, 
2010, https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/
Documents/Cooperation/Conference_int/10-10-27_Jerusalem_Resolutionon
_PrivacybyDesign_EN.pdf.
---------------------------------------------------------------------------
    The National Institute of Standards and Technology framework offers 
the most salient way forward to design a 21st-century paradigm of data 
protection. The focus on the scientific approach ensures the 
engineering trustworthiness of technology and its incorporation into 
society. Measurement science and system engineering principles can 
support the creation of frameworks, risk models, tools, and standards 
that protect privacy and civil liberties.\110\ As such, Americans can 
develop a better regime through science, technology, and innovation. 
Policymakers can incentivize this with partnerships for grants, prizes, 
award, competitions, and safe harbors for innovation to ensure that 
innovators can innovate without punishment.
---------------------------------------------------------------------------
    \110\ Paul Hernandez, ``Cybersecurity and Privacy Applications,'' 
National Institute of Standards and Technology, August 23, 2016, 
https://www.nist.gov/itl/applied-cybersecurity/cybersecurity-and-
privacy-applications.
---------------------------------------------------------------------------
Data Localization
    Related to the protectionist GDPR is data localization. 
Increasingly, countries are forcing firms to store data locally, 
inhibiting the free flow of information and creating a Balkanized 
internet. Some 34 countries have enacted barriers \111\ to restrict 
data--whether financial, personal, government, telecommunications, or 
others against digital services. The United States International Trade 
Commission describes the importance of global digital trade and the 
many barriers.\112\
---------------------------------------------------------------------------
    \111\ Nigel Cory, ``Cross-Border Data Flows: Where Are the 
Barriers, and What Do They Cost?,'' Information Technology and 
Innovation Foundation, May 1, 2017, https://itif.org/publications/2017/
05/01/cross-border-data-flows-where-are-barriers-and-what-do-they-cost.
    \112\ United States International Trade Commission, ``Despite Huge 
Growth in Global Digital Trade in Recent Years, Some Countries Seek to 
Slow Adoption, Reports USITC,'' press release, September 28, 2017, 
https://www.usitc.gov/press_room/news_release/2017/er0928ll836.htm.
---------------------------------------------------------------------------
    Countries claim that they need data localization to ensure data 
privacy and cybersecurity, help the local digital economy, and ensure 
government access to data, but these reasons are unfounded. Cyber 
threats transcend borders, and the data's location is not a deterrent 
to criminals. While firms take advantage of multiple locations for data 
centers, these centers offer limited support to economic growth. The 
proper strategy to support the local digital economy is to focus human 
capital to create digital goods and services in the country itself. 
Governments can get access to data when they need to with the 
appropriate court orders; the length of time of delivery is a matter of 
seconds.
    Data localism should be addressed appropriately by the rule of law, 
at the World Trade Organization, and with other appropriate 
institutions.
Intellectual Property
    Just as we can describe Title II Internet regulations as government 
taking the physical property of networks, the GDPR is government taking 
the intellectual property of algorithms. Both regulations deny their 
owners their rights of ownership and innovation.\113\
---------------------------------------------------------------------------
    \113\ Roslyn Layton and Bronwyn Howell, ``How Title II Harms 
Consumers and Innovators,'' American Enterprise Institute, July 14, 
2017, http://www.aei.org/publication/how-title-ii-harms-consumers-and-
innovators/.
---------------------------------------------------------------------------
    Protection of intellectual property is enshrined in our 
Constitution.\114\ James Madison reiterated the Copyright Clause in 
Federalist Paper No. 43 noting, ''The utility of this power will 
scarcely be questioned. The copyright of authors has been solemnly 
adjudged, in Great Britain, to be a right of common law. The right to 
useful inventions seems with equal reason to belong to the inventors.'' 
\115\ The product that a person creates with his hands is no different 
than what he creates with his voice or brain. The creator has the right 
to decide how to monetize his creations.
---------------------------------------------------------------------------
    \114\ The Constitution of the United States (Article I, Section 8, 
Clause 8) grants to Congress the powers to promote ``the progress of 
science and useful arts'' by providing inventors the limited but 
exclusive right to their discoveries. This applies to copyrights and 
patents, with trademarks similarly protected by Congress under the 
Commerce Clause (Article I, Section 8, Clause 3). Together, they are 
all protected under the umbrella of intellectual property.
    \115\ James Madison. Federalist No. 43. January 23, 1788
---------------------------------------------------------------------------
    As of December 2016, copyrighted works contributed an estimated 
$1.2 trillion to the U.S. GDP,\116\ accounting for 6.88 percent of the 
U.S. economy, almost as large as the $1.6 trillion Internet economy 
itself.\117\ The Internet intermediaries enjoy intellectual property 
(IP) protection for their software and algorithms. It is illogical that 
the software property protections are honored internationally but not 
the content they deliver. The U.S. loses about $300 billion annually 
from the theft of copyrighted materials.\118\
---------------------------------------------------------------------------
    \116\ Stephen E. Siwek, ``Copyright Industries in the U.S. 
Economy,'' International Intellectual Property Alliance, 2016, https://
iipa.org/files/uploads/2018/01/2016CpyrtRptFull-1.pdf.
    \117\ Comp TIA, ``Cyberstates,'' https://www.cyberstates.org/. 2018
    \118\ Supra Siwek.
---------------------------------------------------------------------------
    Fortunately, advances such as machine learning and cloud computing 
enable online intermediaries to accurately and efficiently identify 
known-infringing content, particularly content that rightsholders have 
shown belongs to them. Technologies and business models continue to 
improve making detection of pirated, unlicensed content more efficient, 
meaning that we can have a strong copyright standard without 
overburdening intermediaries. For example, ad networks can restrict the 
use of advertising on sites with known infringing content, which helps 
restrict revenue to those criminal enterprises designed to illegally 
exploit copyright-protected content. Such tools combat not only pirated 
content but also harmful and pirated goods such as counterfeit 
medicines.\119\
---------------------------------------------------------------------------
    \119\ Daniel Castro, ``PIPA/SOPA: Responding to Critics and Finding 
a Path Forward,'' Information Technology and Innovation Foundation, 
December 5, 2011, https://itif.org/publications/2011/12/05/pipasopa-
responding-critics-and-finding-path-forward.
---------------------------------------------------------------------------
    Like the network regulation debate, the copyright-free movement is 
a coalition of some large tech companies aligned with anti-IP groups 
that want to restrict if not abolish copyright protections.\120\ Some 
copyright ``minimalists'' argue that since they would not have paid for 
the products, stealing improves consumer welfare. Others see piracy as 
merely a form of societal redistribution from rights owners to 
consumers. They leverage databases of millions of users to overwhelm 
political process and create the appearance of grassroots support, for 
example one million signatures on a Change.org petition. This is not an 
authentic reflection of the people but rather the amplified support of 
the digital elite.\121\ Some countries recognize that they do not 
produce a significant amount of exportable digital content, so they see 
no strong incentive to have strong digital copyright enforcement. 
Instead, they see opportunities to create digital platforms that 
leverage the content produced by others, particularly U.S. creators.
---------------------------------------------------------------------------
    \120\ Richard Bennett, ``Europe's Piracy Dilemma, High Tech Forum, 
July 5, 2018, http://hightechforum.org/europes-piracy-dilemma/.
    \121\ Roslyn Layton, ``Net Neutrality: A Numbers Game,'' AEIdeas, 
July 25, 2016, http://www.aei.org/publication/net-neutrality-numbers-
game/; Change.org, ``Stop the Censorship-Machinery! Save the 
Internet!,'' https://www.change.org/p/european-parliament-stop-the-
censorship-machinery-save-the-internet; and Roslyn Layton, ``Dominated 
by the Digital Elite,'' US News & World Report, August 8, 2017, https:/
/www.usnews.com/opinion/economic-intelligence/articles/2017-08-08/the-
digital-elite-dominates-debates-over-net-neutrality-and-title-ii-rules.
---------------------------------------------------------------------------
    Another hypocrisy has emerged in that many advocates of the 
copyright-free moment want regulation to ensure their unfettered access 
to content regardless of the copyright concerns but see no problem when 
the onerous GDPR requirements force content owners to stop serving the 
EU. Similarly, they celebrate the liability protections of the 
Communications Decency Act \122\ and the Online Copyright Infringement 
Liability Limitation Act \123\ afforded to highly regulated common 
carriers in telecommunications, but don't see that the same common 
carriage should apply to their preferred Internet platforms which are 
also granted immunity under the Acts. Such legal policy inconsistencies 
should be investigated and resolved.
---------------------------------------------------------------------------
    \122\ 47 USC 230
    \123\ 17 USC 512
---------------------------------------------------------------------------
    Ideally, by creating transparency to the competing interests, the 
debate can move forward on the merits of the arguments. In any case, 
without copyright, the individual creator has no protection for his 
work, so supporting this position is vital to ensure individual rights.
Some reasons for the decline in U.S. Internet leadership
    The U.S. had a leadership role in Internet governance, but lost it. 
When the U.S. fails to uphold the rule of law in its own country, it 
gives license to other nations to do the same. Moreover, the U.S. 
failed to challenge those countries that violate digital trade 
agreements. During this period in which the U.S. has slackened in it 
own practice of the rule of law, there has been a shift of the 
international view of America over the past 20 years from one of 
respect and reverence to one of resentment. The Pew Research Center's 
Global Attitudes and Trends reports that other nations' opinions of the 
U.S. have diminished from preeminence to a tie with China for the 
world's most popular nation.\124\
---------------------------------------------------------------------------
    \124\ Global Indicators Database, ``Do You Have a Favorable or 
Unfavorable View of the U.S.?,'' Pew Research Center, http://
www.pewglobal.org/database/indicator/1/.
---------------------------------------------------------------------------
    To a number of foreign nations, the explosion of free speech 
restrictions on American college campuses legitimize the efforts to 
clamp down on journalists, dissidents, and other critics of government. 
In the Internet space, a recent and egregious example was in 2014-15. 
The Federal Communications Commission pronounced that one of its 
greatest inventions--the internet--is a mere extension of the telephone 
network and thus a utility to be regulated by the government. It was a 
slap in the face to engineers and inventors whose life's work was 
creating an alternative to the telephone. It disrespected their 
inventions and the technologies of freedom. In addition, it trampled 
the rule of law, in which the people certified through Congress that 
the Internet is to be free and unfettered from state and Federal 
regulation. The move to declare the Internet a utility was welcomed by 
many unsavory nations as perfect justification to apply their favorite 
form of government control on the internet. It is no surprise that 
dozens of nations have engaged in harmful regulation toward the US, a 
country they once respected. Moreover, Internet freedom has been 
declining for the past seven years despite increasing regulation around 
the world purported to protect consumers and ``openness.'' \125\
---------------------------------------------------------------------------
    \125\ Roslyn Layton, ``The Link Between Net Neutrality and 
Declining Internet Freedom,'' AEIdeas, December 15, 2015, http://
www.aei.org/publication/link-net-neutrality-declining-internet-
freedom/. For an updated report, see Freedom House, ``Manipulating 
Social Media to Undermine Democracy,'' https://freedomhouse.org/report/
freedom-net/freedom-net-2017.
---------------------------------------------------------------------------
    This abuse is not limited to government. Leading Silicon Valley 
firms have waged a campaign to impose Internet regulation on the 
telecom industry to avoid interconnection fees and preclude the 
development of competitive business models for content and 
advertising.\126\ While it may be a rational strategy for Silicon 
Valley, it is wrong and unfair to employ political means to secure 
price controls that undermine the efficient functioning of Internet 
markets. As I have demonstrated with more than 5 years of doctoral and 
post-doctoral research, these regulatory policies have been harmful in 
the U.S. and abroad, concentrating Internet traffic to fewer players 
and enshrining a monoculture of platform paradigms and business 
models.\127\
---------------------------------------------------------------------------
    \126\ Internet Association, ``Net Neutrality,'' accessed July 19, 
2018, https://internet
association.org/positions/net-neutrality/.
    \127\ Roslyn Layton. Which Open Internet Framework is Best for 
Mobile App innovation? An empirical inquiry of net neutrality rules 
around the world. Aalborg University, 2017. http://vbn.aau.dk/en/
publications/which-open-internet-framework-is-best-for-mobile-app-
innovation(b1f05c8d-b31e-47cd-b19d-bcf6893e7e5b).html
---------------------------------------------------------------------------
    The imposition of price controls denies infrastructure providers 
revenue to build networks (and tax revenue for governments), undermines 
the emergence of business models that could support local content 
development for socially beneficial goods (particularly in developing 
countries), and unduly burden consumers with the full cost of networks, 
a cost that falls disproportionately on the poor. Moreover, the 
politicized regulatory exercise distracts scarce policymaking resources 
away from real problems, which are empirically demonstrated to be the 
malign acts of governments to censor people, services, and data.\128\ 
Indeed, many internet-related firms and industries have taken advantage 
of the regulatory process to win favorable treatment for themselves at 
the expense of their competitors and consumers. Foreign counterparts 
have learned from the rent-seeking behavior of Americans firms, and it 
has boomeranged. Now foreign governments find ways to regulate American 
firms to reward their domestic players.\129\
---------------------------------------------------------------------------
    \128\ Freedom House, ``Freedom on the Net 2017,'' https://
freedomhouse.org/report/freedom-net/freedom-net-2017.
    \129\ Roslyn Layton, ``Net Neutrality Will Be Reincarnated as 
Platform Regulation,'' AEIdeas, December 20, 2017, http://www.aei.org/
publication/net-neutrality-will-be-reincarnated-as-platform-
regulation/.
---------------------------------------------------------------------------
    Moreover the U.S. has distracted itself with phantom fears and 
instead of focusing on real threats. The U.S. may have been the leader 
in 4G, but leadership is not assured in future generations. The Chinese 
government wants its country's device, app, and service developers to 
win the race for the 5G ecosystem. China has already replaced the U.S. 
as the world's largest mobile app market,\130\ unseating the U.S. in 
downloads and revenue in 2016. The U.S., caught up in crony squabbles 
and rent-seeking regulation over the past decade, took its eye off the 
ball. The real threat to Silicon Valley is not the Nation's 4,551 
Internet service providers, but rather Chinese Internet giants, 
including Baidu, Alibaba, and Tencent, which make the U.S. players look 
tame by comparison.\131\
---------------------------------------------------------------------------
    \130\ App Annie Content, ``App Annie Mobile App Forecast: China to 
Surpass the U.S. in 2016,'' accessed July 19, 2018, https://
www.appannie.com/en/insights/market-data/mobile-app-forecast-china-to-
surpass-us-in-2016/.
    \131\ CTIA, ``How America's 4G Leadership Propelled the U.S. 
Economy''; Raymond Zhong, ``Worried About Big Tech? Chinese Giants Make 
America's Look Tame,'' New York Times, May 31, 2018, https://
www.nytimes.com/2018/05/31/technology/china-tencent-alibaba.html.
---------------------------------------------------------------------------
    Unless it wants to capitulate for China, American industry needs to 
set aside its crony games and start to play for Team USA. Telecom, 
content, software, and hardware companies should all play for the same 
team. They should partner to complement each other's strengths, 
leveraging the appropriate actors for the conversation. Moreover, Team 
USA should grow the bench and bring new valuable actors into the fold. 
The more robust our market and diversified our business models, the 
less likely China will be able disrupt it.\132\
---------------------------------------------------------------------------
    \132\ Sara Fischer, ``U.S. Big Tech Is Still Beating out China,'' 
Axios, July 24, 2018, https://www.axios.com/us-big-tech-china-silicon-
valley-fe76b105-d9d0-4b34-8632-7e91b8f6d9a2.html.
---------------------------------------------------------------------------
Earning the leadership role again
    The U.S. needs to model the behavior it wants to see in the world 
by upholding the rule of law and respect for individual rights. When 
American enterprises operate abroad--whether they are for-profit 
corporations or nonprofit entities--they want a rational, predictable, 
and consistent framework across the board. Such a framework allows the 
enterprise to minimize costs, maximize revenue, ensure efficiency, and 
allow improvement and innovation. To ensure the ideal framework abroad, 
enterprises should advocate for the ideal framework at home. Therefore, 
the policy should be a consistent set of rules for all players, 
grounded in modern, evidenced-based standards of antitrust and 
delivered by the FTC.\133\ This also requires removing the asymmetric 
regulation and regulatory prejudice that have stymied innovation in 
business models and platforms.
---------------------------------------------------------------------------
    \133\ Richard Bennett et al., Comments on Communications Act 
Modernization, January 31, 2014, https://ssrn.com/abstract=2388723.
---------------------------------------------------------------------------
    We must also let go of antique notions of Internet architecture and 
outdated regulations that prohibit innovation e.g., this wooden notion 
of network core and edge. It is precisely these regulatory prejudices 
that have precluded the network design advancements that can improve 
security.\134\ It was a reasonable to trust the digital community in 
the days of the ARPANET when the users were a handful of scientists and 
engineers. With billions of Internet users today, assumed trust is not 
an option. Cyberattacks and threats are commonplace and demand to be 
addressed within the framework of defense. Perpetrators of 
cyberattacks, notably rogue states, should be punished by ending visas, 
freezing assets, and other punitive tools of international law. Modern 
cybersecurity requires advanced information-sharing among global 
partners, a market for cyber insurance, freedom of parties to exercise 
self-defense, and the augmentation government's coordination with 
military, business, and hacker communities.\135\ Some suggest that the 
cybersecurity crisis is the outcome of obsolete networked computer 
architecture and demands a new paradigm of cryptography, the 
architecture of blockchain, and its derivatives. It is suggested that 
this emergent architecture will enable a new form of payments on the 
Internet and topple reigning monopolies.\136\
---------------------------------------------------------------------------
    \134\ Jaikumar Vijayan, ``Net Neutrality Could Hinder Efforts to 
Safeguard Web, Worry Security Experts,'' Christian Science Monitor, 
February 27, 2015, https://www.csmonitor.com/World/Passcode/2015/0227/
Net-neutrality-could-hinder-efforts-to-safeguard-Web-worry-security-
experts.
    \135\ Jeffrey A. Eisenach et al., ``An American Strategy for 
Cyberspace: Advancing Freedom, Security, and Prosperity,'' American 
Enterprise Institute, June 3, 2016, http://www.aei.org/spotlight/
american-strategy-for-cyberspace/.
    \136\ George Gilder, Life After Google: The Fall of Big Data and 
the Rise of the Blockchain Economy (Gateway Publishers, 2018).
---------------------------------------------------------------------------
    Let me close with a story that demonstrates how the U.S. pursuing 
its national interest has been a force for good.\137\ Upon coming into 
office, Thomas Jefferson was confronted of the problem of American 
merchant ships being seized by the Barbary States of Northern Africa; 
the goods were confiscated and the crews enslaved. Most countries paid 
ransom so that they could traverse the Mediterranean. American 
representatives had tried negotiation for some 20 years, but the 
situation grew worse. Over 1 million Europeans and Americans had been 
captured by the Barbary pirates over the period.
---------------------------------------------------------------------------
    \137\ Gordon Wood. Revolutionary Characters: What Made the Founders 
Different. Penguin Press, 2006.
---------------------------------------------------------------------------
    On the eve of his inauguration, Jefferson's request to Congress was 
authorized, dispatching naval ships to the region to recover the 
hostages and destroy the pirate fleets. Sweden and Sicily joined the 
effort because they too had suffered the Barbary scourge. After a 
series of battles, the U.S. emerged victorious, returned the stolen 
goods to the various European nations, and returned to the U.S. with 
the American hostages. The Barbary Wars became a vindication for 
Jefferson whose critics wanted him to focus inward on the Louisiana 
purchase. Winning the Barbary Wars solidified free trade in the 
Mediterranean.
    Just as Jefferson had to secure the sea lanes for trade in the 19th 
century, we must secure the information lanes for the free flow of data 
in the 21st. Otherwise we appease mercantilist nations by letting them 
violate international law, and the situation grows worse. Ideally the 
issues can be resolved in the context of trade negotiation. 
Alternatively, we can create a better regime which becomes so popular 
that the rest of the world joins it, isolating the mercantilists. Or we 
can fight. This is not to suggest a military war, but a war in the 
court.

    Senator Wicker. Thank you very much, Dr. Layton.
    Ms. Zheng.

STATEMENT OF DENISE E. ZHENG, VICE PRESIDENT, POLICY, BUSINESS 
                           ROUNDTABLE

    Ms. Zheng. Chairman Wicker, Ranking Member Schatz, members 
of the Subcommittee, thank you for the opportunity to testify 
on behalf of the Business Roundtable.
    Today, few companies can compete and succeed without making 
extensive use of data and digital systems, but recently there 
has been a rapid increase in the number of policies around the 
world that undermines digital innovation, trade, by creating 
fragmentation, uncertainty, significant compliance costs, and 
other unintended consequences.
    The compliance environment is increasingly cumbersome for 
large companies and simply impossible for small companies and 
startups to comply. The EU and China are the most active 
players in rolling out digital regulations, but India, Russia, 
South Korea, and other Asian and Latin American countries are 
ramping up efforts to develop and enforce a wide range of 
cybersecurity, privacy, and data localization policies.
    China has the most aggressive regime in place, mandating 
all important information and personal information be stored 
locally in China. As currently defined, the law would require 
any entity that owns or operates a computer network and applies 
to a vast assortment of different types of data.
    India, Russia, Nigeria, South Korea all have enacted laws 
that prohibit transferring various types of business and 
consumer data. In fact, at least 34 different countries have 
data localization requirements that can raise the cost of 
posting data by an estimated 30 to 60 percent for covered 
companies.
    Approximately 120 countries currently have data privacy 
laws and many more countries are considering legislation in 
this area. Some companies have decided to discontinue offering 
products and services in the EU because of GDPR compliance 
costs which are so high that they can no longer justify being 
in the market.
    For example, some firms are blocking EU-based users from 
their products and services, including from visiting their 
websites, to avoid facing steep fines of 20 million Euros or 4 
percent of annual revenue, whichever is higher. The GDPR alone 
is costing Global Fortune 500 companies a combined total of 
$7.8 billion this year to comply.
    Fragmentation of domestic policy regulations in the United 
States is also on the rise. In addition to several existing 
sector-specific Federal and state privacy regulations, 
California recently passed a privacy bill that applies broadly 
across many sectors. Numerous other privacy proposals are 
pending in state legislatures that, if passed, would further 
increase the complexity of privacy regulations across the U.S.
    Cybersecurity regulations are also expanding globally. The 
financial services industry is an example of a sector that 
faces an expanding number of international cybersecurity 
requirements with more than 40 different policies, including 
overlapping mandatory risk assessments, penetration testing, 
and incident reporting to multiple authorities in each country.
    Now don't get me wrong. Cybersecurity is a serious matter. 
We should have mechanisms in place to ensure adequate 
protection, but uncoordinated policies across countries means 
that companies must reconcile competing regulations that divert 
resources away from security toward compliance.
    A fragmented international digital policy landscape will 
likely have the most significant impact on startups and small- 
and medium-sized companies with limited resources to comply 
with ambiguous requirements and pay-for-views in countries like 
China with excessive paperwork associated with EU policies.
    And emerging technologies, like artificial intelligence and 
block chain, are also hindered by regulatory uncertainty. For 
example, the data minimization, automated decisionmaking, and 
right to erasure provisions of the GDPR could create barriers 
to the commercial development of these important technologies.
    In light of these trends, I would like to end by outlining 
four areas for congressional focus.
    The first is to work on establishing alliances, 
particularly with like-minded countries, to counter technology 
restrictions as a condition to accessing foreign markets. We 
are more effective with strong partners and allies.
    Second, the U.S. must lead in the development of 
international norms, best practices, and standards for 
cybersecurity, privacy, and cross-border data flows, as well as 
emerging technologies, such as AI and block chain, because 
rules for those technologies do not yet exist.
    Third, the U.S. must work to align and harmonize policies 
to avoid global fragmentation. We cannot afford to be missing 
from the important international forums on additional policy 
issues as China and other countries are actively seeking to 
rewrite the rules of the Internet that are fundamentally at 
odds with open markets and democratic values.
    And, finally and perhaps most immediately, Congress should 
act to protect transatlantic border data flows under the 
Privacy Shield by making the ombudsperson a permanent position 
within the State Department.
    It should also act swiftly to confirm the nominees for the 
Privacy and Civil Liberties Oversight Board, which plays a 
critical role in fulfilling the requirements under the Privacy 
Shield.
    Mr. Chairman, thank you for your leadership in holding this 
hearing and for encouraging a dialogue. I look forward to 
taking questions.
    [The prepared statement of Ms. Zheng follows:]

    Prepared Statement of Denise E. Zheng, Vice President, Policy, 
                          Business Roundtable
    Chairman Wicker, Ranking Member Schatz, Members of the 
Subcommittee, thank you for the opportunity to testify on behalf of 
Business Roundtable regarding international policies related to the 
Internet and digital platforms--more broadly referred to as 
``information and communications technology'' (ICT)--and their impact 
on competitiveness, investment, and innovation.
    Business Roundtable is an association of chief executive officers 
(CEOs) of the world's largest multinational companies. Collectively, 
our member companies employ more than 16 million people across all 
sectors of the economy. It is a commonly held misperception that ICT 
policies only affect the technology industry. The reality is that few 
companies can compete and succeed today without making extensive and 
effective use of data and digital platforms.
    Recently there has been a rapid increase in the number of complex, 
conflicting, and uncoordinated ICT public policies from governments 
around the world. This trend undermines global digital innovation and 
trade by creating policy and regulatory fragmentation, business 
uncertainty, overwhelming compliance costs, and other unintended 
consequences.
Trends in Global ICT Policy
    Governments have a responsibility to develop ICT policies that 
provide for national security, protect public safety, and ensure 
individual privacy. But too often, countries are defining security, 
privacy, and safety in an overly broad manner, resulting in a wide 
array of laws and regulations that erect barriers to an interoperable 
and open global internet. In some cases, nations impose ICT policies 
for the stated purpose of cybersecurity and privacy, even though the 
policies are designed primarily to keep U.S. companies out and protect 
local industries. In other cases, the global patchwork of various 
cybersecurity and privacy requirements creates a compliance nightmare 
that is cumbersome and costly for large companies and impossible for 
small companies and startups.
    The European Union (EU) and China are currently the most active 
players in developing and implementing ICT policies. But India, Russia, 
South Korea, and other Asian and Latin American countries are ramping 
up efforts to develop and enforce a wide range of cybersecurity, 
privacy, and data localization policies. Already at least 34 different 
countries have data localization requirements, while approximately 120 
countries have data privacy laws and many more countries are 
considering legislation in this area.\1\
---------------------------------------------------------------------------
    \1\ Pfeifle, S. (2017, September) Is the GDPR a data localization 
law? Retrieved from https://iapp.org/news/a/is-the-gdpr-a-data-
localization-law/
---------------------------------------------------------------------------
    The following sections highlight a selection of ICT policies that 
have a significant impact on Business Roundtable members and other 
U.S.-based companies.
Data Localization
    China has the most aggressive data localization laws. China's 
Cybersecurity Law that went into effect in June 2017 requires all 
``important information'' and ``personal information'' to be stored in 
China. Under this regime, ``network operators'' are prohibited from 
transferring covered data outside of China without undergoing a 
government-mandated security assessment. As currently defined, the law 
could cover any entity that owns or operates a computer network and 
applies to a vast and ambiguous assortment of different types of data. 
China is not the only country with data localization requirements: 
India, Russia, Nigeria, and South Korea all have enacted laws that 
prohibit the transfer of a range of business and consumer data outside 
of their respective jurisdictions. In some cases, these laws mandate 
physical servers be installed in-country as a condition of doing 
business.
    This growing number of localization requirements is already proving 
costly for many industry sectors, including health, retail, finance, 
insurance, energy, manufacturing, and technology. These mandates are 
making it increasingly difficult for U.S. companies to do business in 
key markets such as Asia and Latin America.
Cybersecurity
    Cybersecurity regulations are expanding globally. For example, 
China, which has some of the most heavy-handed regulations, requires 
companies in industries deemed to be ``critical'' to demonstrate that 
their technology systems are ``secure and controllable.'' Such 
companies must undergo inspections and assessments of company networks 
and are mandated to disclose computer program source code to the 
Chinese government for review. The European Council recently proposed a 
new cybersecurity regulation (the EU Cybersecurity Act) that would 
create a security certification regime for ICT products and services. 
If the law takes a mandatory, rather than voluntary, approach, it could 
have the effect of dictating how American firms design, develop, 
manufacture, and deliver ICT products and services.
    The financial services sector, in particular, faces an expanding 
number of international cybersecurity regulations, with more than 40 
different international cybersecurity policies already in place,\2\ 
ranging from risk assessments to penetration testing to incident 
reporting. In this environment, companies must reconcile competing and 
redundant cybersecurity regulations that divert significant resources 
from truly effective cybersecurity measures toward time-consuming 
compliance activity, such as certifications and questionnaires.
---------------------------------------------------------------------------
    \2\ World Bank Group, Financial Sector Advisory Center (2017, 
October) Financial Sector's Cybersecurity: A Regulatory Digest. 
Retrieved from http://pubdocs.worldbank.org/en/5249
01513362019919/FinSAC-CybersecDigestOct-2017-Dec2017.pdf
---------------------------------------------------------------------------
Privacy
    In May 2018, the EU's General Data Protection Regulation (GDPR) 
went into effect and established the most expansive privacy regime in 
the world. The GDPR covers nearly all types of personal data and 
affects business-to-consumer as well as business-to-business firms. The 
GDPR has an extraterritorial application meaning that its scope covers 
any company, regardless of whether it is based in the EU or not, that 
meets the law's threshold requirements for processing personal data of 
individuals in the EU.
    This means that some companies, such as those that cannot justify 
spending the resources necessary to demonstrate compliance with the 
GDPR, are forced to take steps to block EU-based users from using their 
products and services, including from visiting their websites, to avoid 
facing steep fines of up to 20 million euros or 4 percent of annual 
revenue, whichever is higher. The GDPR limits transfers of personal 
data outside of the EU unless certain adequacy standards are met; it 
also requires companies to notify EU and national regulators of 
security breaches of personal data within 72 hours of the incident.
    The EU is actively promoting the adoption of the GDPR as a model 
for privacy regulations in other countries. In addition, Brazil and 
other Latin American countries are proposing or have enacted laws that 
adopt many aspects of the GDPR.
    The risk of domestic regulatory fragmentation within the United 
States for privacy is also high. In addition to several existing 
sector-specific Federal and state privacy regulations, California 
recently passed a consumer privacy bill that applies broadly across 
many sectors. Numerous other data privacy legislative proposals are 
pending in state legislatures that, if passed, would further increase 
the complexity of privacy regulations across the United States. That is 
why Business Roundtable is working to develop privacy principles that 
strengthens protections for consumers but also preserves innovation in 
the digital economy.
Government Access to Data
    The growth of digital communications over the past two decades has 
created new challenges as well as opportunities for law enforcement. 
For instance, several countries have sought to restrict the use of 
encryption or imposed data localization mandates to facilitate law 
enforcement's access to data for investigative purposes or government 
surveillance.
    Both China and Russia mandate companies decrypt and localize data 
for law enforcement and surveillance. In 2016, Russia passed a law that 
explicitly required Internet service providers to provide backdoor 
access to encrypted data and store all consumer communications for six 
months. France, the United Kingdom, Brazil, India, and other countries 
have also enacted laws that regulate the use of encryption in digital 
communications.
    Not only do these laws erode security and privacy on the internet, 
they also have a significant impact on the interoperability of digital 
platforms across borders and undermine consumer trust in technology.
Consequences of Uncoordinated International ICT Policies
    The current state of global ICT policy is complex, chaotic, and 
fragmented and could undermine growth and innovation in the digital 
economy and emerging technologies.
Fragmentation and Legal Uncertainty
    As CEOs that run the largest American companies, Business 
Roundtable members operate in many jurisdictions and serve customers 
around the globe. The international regulatory environment for ICT 
policy is forcing companies across all sectors to reconcile 
overlapping, duplicative, and sometimes conflicting requirements. The 
legal uncertainty that results from policy and regulatory fragmentation 
undermines investment, growth, and job creation. Ambiguous requirements 
and inconsistent enforcement in some countries increases the risk of 
doing business and can lead companies to reject, defer, or reconsider 
investments.
Compliance Costs
    The GDPR alone is estimated to cost Fortune 500 companies a 
combined $7.8 billion to comply, or about $16 million per firm.\3\ 
Another survey found that large organizations of 25,000 or more 
employees each are budgeting an average of $30 million to comply with 
the GDPR. Much of the cost is related to ``check the box'' exercises 
that demand significant investment from companies regardless of their 
risk profile. Some companies have decided to discontinue offering 
products and services in the EU because compliance costs are so high 
that they can no longer justify being in the market. It is not unusual 
for those surfing the web in the EU to come across websites from 
vendors that have nothing more than a note saying that due to GDPR 
requirements, the site cannot be accessed.
---------------------------------------------------------------------------
    \3\ IAPP-EY (2017) IAPP-EY Annual Privacy Governance Report 2017. 
Retrieved from https://iapp.org/news/a/survey-fortune-500-companies-to-
spend-7-8b-on-gdpr-compliance/
---------------------------------------------------------------------------
    Data localization requirements can impose significant compliance 
burdens that raise the cost of hosting data by 30 to 60 percent for 
companies that are covered by such requirements.\4\ A study done by the 
European Centre for International Political Economy estimates that 
enacted or proposed data localization mandates in China could cost up 
to 1.1 percent of its GDP and the cost of data localization 
requirements in the EU could cost nearly 0.4 percent of its GDP.\5\
---------------------------------------------------------------------------
    \4\ Leviathan Security Group (2015). Quantifying the Cost of Forced 
Localization. Retrieved from https://static1.squarespace.com/static/
556340ece4b0869396f21099/t/559dad76e4b0899d97726a8b/1436396918881/
Quantifying+the+Cost+of+Forced+Localization.pdf
    \5\ European Centre for International Political Economy (2016 
March). Unleashing Internal Data Flows in the EU: An Economic 
Assessment of Data Localisation Measures in the EU Member States 
Retrieved from http://ecipe.org/app/uploads/2016/12/Unleashing-
Internal-Data-Flows-in-the-EU.pdf
---------------------------------------------------------------------------
Unintended Consequences
    A fragmented international ICT policy landscape will likely have 
the most significant and adverse impact on startups and small- and 
medium-size companies with limited resources to navigate ambiguous 
requirements and opaque reviews in countries like China or excessive 
paperwork associated with complying with EU policies. These compliance 
costs will make it more difficult for such promising and innovative 
companies to thrive and expand.
    Emerging technologies such as artificial intelligence and 
blockchain are also hindered by regulatory uncertainty and are the next 
likely targets for policy and regulatory fragmentation. The data 
minimization, automated decision-making, and ``right to erasure'' 
provisions of the GDPR can create barriers to the commercial 
development of important emerging technologies which improve and 
innovate new products and services for consumers. I will give you two 
specific examples of this: First, the GDPR imposes restrictions at 
every stage that a company collects, processes, uses, and retains 
personal data, and the impact of these restrictions on the development 
of machine learning tools is uncertain. Some companies may decline to 
integrate machine learning into their business to avoid such hurdles. 
Second, companies using blockchain and distributed ledger systems, 
technologies rooted in the notion that information should not be 
unilaterally amended or deleted from networks, will face difficulty in 
responding to data subject requests, authorized by the GDPR, to amend 
and delete their own data.
Recommendations
    Congress has an important role in creating and fostering a global 
policy environment for an open, interoperable, and global Internet and 
to promote the continued economic growth of the digital economy. To 
that end, Business Roundtable recommends the following actions:

   Establish Alliances with Like-Minded Countries to Counter 
        Protectionist ICT Policies. The U.S. Government should build 
        alliances with like-minded countries to counter technology 
        restrictions, protectionist cybersecurity and data localization 
        requirements, and requirements for businesses to transfer 
        technology and intellectual property as a condition to 
        accessing foreign markets.

   Lead in Development of International Norms, Best Practices, 
        and Standards for ICT. The U.S. Government and U.S. companies 
        should lead in developing norms, best practices, and standards 
        for the Internet and digital platforms. Areas of focus include 
        cybersecurity, privacy, and cross-border data flows. At the 
        same time, emerging technologies such as artificial 
        intelligence, autonomous vehicles, blockchain, Internet of 
        things, and robotics require serious attention, because rules 
        do not yet exist.

   Seek to Align or Harmonize Requirements to Avoid Global 
        Fragmentation. In the face of an already fragmented 
        environment, the U.S. Government should play a leadership role 
        to align or harmonize where possible existing ICT policies, 
        regulations, and standards globally, and maintain that same 
        approach for emerging technologies to avoid costly 
        fragmentation. The United States cannot afford to be missing 
        from important international forums on ICT issues, as China and 
        other countries are actively seeking to rewrite the rules of 
        the Internet and digital economy that are fundamentally at odds 
        with open markets and democratic values.

   Protect Transatlantic Cross-Border Flows. Congress should 
        act to protect the EU-U.S. Privacy Shield by making the Privacy 
        Shield Ombudsperson a permanent position of the U.S. Department 
        of State. It should also act swiftly to confirm the nominees 
        for the Privacy and Civil Liberties Oversight Board, which 
        plays a critical role in fulfilling the requirements of the EU-
        U.S. Privacy Shield.

    Mr. Chairman, Ranking Member Schatz and Members of the 
Subcommittee, thank you for the opportunity to present Business 
Roundtable's views on information and communications technology and 
their impact on competitiveness, investment, and innovation. The global 
policy environment around ICT represents a serious concern to leaders 
of these American companies that drive economic growth and job creation 
in the United States and across the world.

    Senator Wicker. Thank you very much.
    Mr. Painter.

             STATEMENT OF CHRISTOPHER M.E. PAINTER,

               COMMISSIONER, GLOBAL COMMISSION ON

                  THE STABILITY OF CYBERSPACE

    Mr. Painter. Chairman Wicker, Ranking Member Schatz, 
members of the Subcommittee, it is a pleasure to be here today 
to discuss the impact of global Internet governance on American 
businesses, end users, and the U.S. policy of promoting and 
maintaining an open, interoperable, and secure Internet.
    For over 26 years, I have devoted my life to cyber and 
Internet issues, including, most recently, serving as the first 
coordinator for cyber issues at the Department of State. In 
that role, I worked with components across the department, the 
interagency, and outside stakeholders to advance the U.S. 
vision of cyberspace and combat both technical and policy 
challenges.
    I'll focus today on some of the policy challenges and 
recommendations to address them.
    First, it's important to note that the policy threats we 
face, though distinct, are often interrelated and have 
economic, human rights, and security elements. For example, 
when China claims absolute sovereignty over its cyberspace and 
erects a digital wall around its territory in the name of 
security that has profound economic and human rights 
implications.
    It is vital, therefore, that our response to these 
challenges not be left silent but be coordinated. We need to go 
to the full range of departments, agencies, and other 
stakeholders to advance an integrative and strategic U.S. 
policy.
    Second, cyber and Internet issues are now being debated in 
virtually every country and every international and regional 
organization. Indeed, I believe we've reached an inflection 
point where the issues discussed and the decisions reached in 
these multiple forums will have a major impact on the future of 
the Internet and cyberspace.
    Accordingly, advancing the U.S. vision of cyberspace, 
including U.S. commercial interests, requires unprecedented 
U.S.-international engagement and strategic U.S. leadership.
    Among the many policy challenges we face are threats by 
repressed regimes to replace the system of multi-stakeholder 
Internet governance with one that is driven by government-only 
multilateral bodies, in part to control content and curtail the 
free flow of information, threats posed by China, Russia, and 
others to online freedom to have both negative human rights and 
economic impacts, mandatory data localization requirements that 
are not scalable or economically practicable and are often used 
by repressive governments to help monitor and control their 
citizens, and countries and multilateral bodies around the 
world enacting or considering regulatory policy or legal 
regimes dealing with some aspect of cyberspace, including 
online privacy, cybersecurity, market access, and emerging 
technology that conflict with the U.S. values and interests or 
risk creating conflicting regimes that fragment the Internet.
    And, finally, threats by nation states, organized criminal 
groups, and other bad actors that threaten to undermine our 
confidence in the Internet and network technologies and strike 
at the very core of our economy and democracy.
    My overarching recommendation to address these challenges 
is for the U.S. to step up its international engagement on 
these issues and make them a true national priority. This 
requires enhanced structure of resources and a whole of 
government cross-cutting strategy.
    On structure, I applaud the continued efforts of my former 
colleagues at State, Commerce, and other agencies, but I 
believe those efforts have been hampered by the lack of a 
sufficiently high-level office at the State Department and the 
recent abolition of the cyber coordinator position at the White 
House.
    I commend the House and Senate efforts to restore, 
strengthen, and institutionalize my former office in the Cyber 
Diplomacy Act, and I'm particularly pleased that these efforts 
were bipartisan, reflecting the bipartisan nature of most of 
these issues.
    In the past, necessary whole of government coordination on 
these cross-cutting issues has been significantly boosted by 
the cyber coordinator position of the National Security 
Council. The loss of that high-level position, coupled with at 
least the temporary demotion of my prior office, complicates 
interagency coordination and also sends an unfortunate signal 
to both our friends and our adversaries that the Administration 
is not really prioritizing these issues.
    Resources are also vital. This, importantly, includes 
funding for capacity-building that was severely cut last year. 
Capacity-building includes working with foreign governments on 
aspects of Internet governance or regulatory policy, helping 
countries enact appropriate laws and strategies, and working 
with countries to boost their ability to combat cyber crime and 
have strong cyber-security capabilities.
    For a relatively small amount of money, targeted capacity-
building not only helps the U.S. by helping other countries 
gain the ability to work with us, but it also helps win the 
support of developing countries for our vision of the Internet 
and cyberspace.
    It's also important for the private sector, civil society, 
and other stakeholders to continue to engage in these efforts 
and enhance their participation. Though many companies and 
civil society groups are already making valuable contributions 
in a variety of international forums, given what is at stake, 
we must find ways to help increase participation.
    Finally, it is important that the U.S. has a high-level 
cross-cutting integrated strategy that leverages all relevant 
government agencies, outside stakeholders, and like-minded 
countries to deal with the many challenges we face 
internationally and help to direct and prioritize our 
engagement.
    I make a number of other suggestions in my written 
testimony, including strengthening multi-stakeholder 
institutions, including the Internet Governance Forum, showing 
leadership on privacy and other Internet policies, addressing 
data localization through, among other things, the CLOUD Act, 
and supporting cybersecurity/cyber crime and stability efforts, 
but all are dependent on an effective and strategic 
international engagement plan.
    I look forward to your questions.
    [The prepared statement of Mr. Painter follows:]

 Prepared Statement of Christopher M.E. Painter, Commissioner, Global 
               Commission on the Stability of Cyberspace
    Chairman Wicker, Ranking Member Schatz, members of the Senate 
Subcommittee on Communications, Technology, Innovation and the 
Internet, it is a pleasure to appear before you today to discuss the 
impact of global Internet governance and policies on American 
businesses, end users and the U.S. policy of promoting and maintaining 
an open, interoperable, secure and reliable communications and 
information infrastructure that is the foundation for economic 
prosperity, innovation, social growth and the exercise of human rights. 
For over twenty-six years I have devoted my life to cyber and Internet 
issues, serving as a Federal prosecutor specializing in cybercrime, a 
senior official at the Department of Justice and the FBI, a Senior 
Director of Cybersecurity Policy at the National Security Council and, 
most recently, as the first Coordinator for Cyber Issues at the 
Department of State. I have continued to work on these issues since 
leaving the Federal Government, among other things, serving as a 
Commissioner on the Global Commission for the Stability of Cyberspace 
and a Board member of the Center for Internet Security.
    My role as Coordinator for Cyber Issues at the State Department was 
the first such office established in a foreign ministry. There are now 
over twenty-five such offices in foreign ministries around the globe. 
In recognition of the cross-cutting and interdependent nature of cyber 
and Internet issues--including economic, human rights and security 
issues--my former office had a broad mandate, and worked with 
components across the Department, the interagency, the private sector, 
civil society and other stakeholders, to advance the U.S. vision of an 
open and secure cyberspace. In my six and a half years as Coordinator, 
I worked to help realize the many benefits of cyberspace while 
combatting the ever mounting technical and policy threats we face. For 
purposes of this hearing I will focus on some of the policy challenges, 
including threats to the multi-stakeholder system of Internet 
governance, threats to freedom of expression and other human rights 
online, challenges relating to cybersecurity and stability, and the 
threat of inconsistent or misguided regulatory or policy regimes that 
threaten to fragment the global Internet and undermine its economic and 
social value. I will also make some recommendations to address these 
challenges.
    First, I would like to make some general observations. The policy 
threats we face, though distinct, are also inter-related and have 
economic, human rights and security elements. For example, when China 
claims absolute sovereignty over its cyberspace and erects a digital 
wall around its territory in the name of security, that has profound 
economic and human rights implications. Similarly, when a country 
enacts a regulatory regime for cybersecurity, privacy or some other 
goal, it could, intentionally or unintentionally, significantly affect 
the free flow of information over the Internet and act as market 
barrier. It is vital therefore that our response to these challenges 
not be siloed but be coordinated--bringing together the full range of 
departments, agencies and other stakeholders to advance an integrated 
and strategic U.S policy. Second, cyber and Internet issues are now 
being debated in virtually every country and every international and 
regional organization (including the G7, G20, OECD, ITU, OAS, ASEAN, 
OSCE and multiple committees in the UN devoted to security, human 
rights, economic and development issues). Indeed, I believe we have 
reached an inflection point, where the issues discussed and the 
decisions reached in these multiple forums will have a major impact on 
the future of the Internet and cyberspace--determining whether we can 
all continue to benefit from this incredible technology based on the 
free flow of information and multi stakeholder governance or whether 
the growing technical and policy threats will lead to fragmentation and 
undermine its incredible potential.
    Accordingly, advancing the U.S. vision of cyberspace, including 
U.S. commercial interests, requires unprecedented U.S. international 
engagement and strategic U.S. leadership. Both structure and resources 
need to be addressed to enable the level of engagement that is now 
required.
Challenges
    Though I won't attempt to catalogue the all of the many policy 
challenges we face in cyberspace, some of those relevant to this 
hearing include:
Maintaining Multi-stakeholder Internet Governance
    The U.S. has long advocated a multi-stakeholder approach to 
Internet governance that is characterized by a transparent, bottom-up, 
consensus driven process in which all stakeholders--including 
governments, the private sector, civil society, the technical community 
and academia--participate on an equal footing. This relatively novel 
approach is responsible for the tremendous growth of the Internet 
around the world and has enabled the free flow of information, vast 
commercial opportunity, innovation, resilience and robust technical 
evolution. Among others, the organizations responsible for the 
technical operation of the Internet and multi stakeholder discussions 
of policy issues include the International Corporation for Assigned 
Names and Numbers (ICANN), the Internet Engineering Task Force (IETF) 
and the Internet Governance Forum (IGF). Though these and other 
institutions can and should be further strengthened, through, for 
example, more inclusive participation, they have served the community 
well. Nevertheless, for many years, a number of more repressive 
countries, and Russia and China in particular, have sought to impose 
greater state control on the Internet and have pushed for an intra-
governmental body, such as the United Nations, to take over technical 
governance and Internet policy. In part, their push for intra-
governmental control is based on their desire to control information 
and expression that they believe can threaten regime stability. 
Imposing a multilateral government control mechanism would 
fundamentally change the Internet as we know it, and would seriously 
affect the free flow of information, human rights online and thwart 
innovation and growth. Fortunately, the U.S. working with like-minded 
partners around the world, has succeeded so far in pushing back against 
these efforts so far but they are likely to continue to be raised in 
the future. For example, the Plenipotentiary of the International 
Telecommunications Union, a meeting that occurs every four years to 
chart the ITU's mandate, is happening this fall. The ITU is a UN body 
that is made up of country representatives who largely have 
telecommunications expertise and, although other stakeholders can 
participate in discussion, they are excluded from decisions--a far cry 
from a multi-stakeholder body. In past meetings, some governments have 
tried to expand the ITU's scope to include technical Internet 
governance and the ITU has often itself has tried to expand its role 
beyond its area of expertise to deal with a number of cyber and 
Internet policy issues. The U.S. must continue to be on high alert to 
these and other efforts and strategically work with other countries and 
stakeholders to thwart attempts to undermine the multi-stakeholder 
approach that has served us well.
Ensuring Freedom of Expression and Human Rights Online
    The global Internet has enabled unprecedented communication and 
expression and that free flow of information has had tremendous human 
rights and economic benefits. Yet despite the economic and social 
benefits of an open Internet, some states see that openness, as 
discussed above, as a threat to regime stability and seek to curtail it 
by censorship, repression and restricting Internet access. The Freedom 
on the Net Report 2017, published by Freedom House, details a sobering 
picture of declining Internet freedom around the world and the actions 
of many repressive countries to control and manipulate speech and 
content. In addition, network shutdowns are a growing problem around 
the world where a government restricts the public's access to the 
Internet during an election or other political event. Some 
cybersecurity policies can also have human rights implications. While 
the U.S. encourages countries to have cybersecurity strategies that 
fully incorporate human rights and economic interests, some states, 
like China and Russia have ``cybersecurity'' policies and laws that are 
aimed at controlling discourse and dissent. These countries both claim 
``absolute sovereignty'' in cyberspace and do not recognize that 
international human rights transcend international borders. Restrictive 
policies curtailing the free flow of information have both negative 
human rights and economic impacts. The U.S. has been a leader in 
advancing Internet freedom in the past including helping found the 
Freedom Online Coalition, a group of thirty countries dedicated to 
advocating for these issues in multiple forums around the world. The 
U.S. must continue to lead to guarantee both human rights and economic 
benefits of the Internet.
Fighting Data Localization
    A number of countries have enacted or are considering data 
localization mandates that require data belonging to residents, 
companies or entities of that country to be stored in that country. 
Though these laws or policies arise in part from concerns about 
surveillance or difficulty in accessing data for law enforcement 
investigations when stored abroad, and are often described as privacy 
or security measures, they instead, in many cases, act as trade 
barriers and mechanisms to enable greater state control of content. 
Data localization requirements, essentially mandating that U.S. and 
other global providers construct data centers in localities around the 
world, are not scalable or economically practical, and are particularly 
anticompetitive to new or smaller players. These mandates also 
completely undercut many of the benefits of the cloud architecture 
including increased efficiency, access and the possibility of greater 
security. Moreover, some states, like Russia, enact such requirements 
to better control dissent. Of course, there are legitimate concerns 
that some states have raised with respect to access to data. When data 
is stored in the U.S., our electronic privacy laws make access for a 
foreign government difficult in a law enforcement investigation even if 
the crime and participants all were in that country. The U.S. has 
attempted to address this recently through the Clarifying Lawful 
Overseas Use of Data (CLOUD) Act. Though negotiating bilateral 
agreements pursuant to this law should be a priority, the U.S. must 
also continue to push back against data localization in all of its 
engagements.
Addressing Potentially Conflicting, Misguided or Unfair Regulatory and 
        Legal 
        Regimes
    Countries and multilateral bodies around the world are enacting or 
considering regulatory, policy or legal regimes dealing with some 
aspect of cyberspace and the Internet. Among other things, these 
frameworks attempt to address online privacy, cybersecurity, market 
access and emerging technology such as the Internet of Things (IoT). 
Though some of these measures are meant to address real concerns in a 
country or region, they often have unintended (and sometimes intended 
effects) that extend well beyond their borders. In some cases, if the 
locally developed standard is made the global default, there is a risk 
of impacting freedom of speech or other strongly held U.S. values. In 
other cases, there is the risk of a multiplicity of conflicting regimes 
that serve to fragment Internet commerce and create a confusing 
landmine for global companies. And in some cases, the policies are 
explicitly aimed at encouraging ``indigenous innovation'' and act as 
market access barriers.
    For example, many of China's laws and regulations, including its 
Cybersecurity Law, are deliberately vague but have broad implications 
for data localization, mandatory testing, cooperation with Chinese 
authorities, forced technology transfer and market access in China. 
Though China presents this and other laws and policies as best 
practices for cybersecurity, it can act as a significant impediment to 
U.S. and other companies doing business in China, as well as serious 
human rights concerns, and will create even further barriers if adopted 
by other countries as a best practice.
    The European Union has been addressing a number of issues in 
cyberspace including privacy and cybersecurity. The General Data 
Protection Regulation (GDPR) is now the law in the E.U. Among other 
things, it creates privacy related requirements for entities processing 
E.U. citizen data that extends to most U.S. Internet and global 
companies. Yet, extraterritorial application of the GDPR may create 
conflicting obligations for U.S. companies. For instance, the GDPR 
enshrines the ``right to be forgotten'' that mandates that E.U. 
individuals can force service providers to remove certain information 
about themselves. However, such a mandate may well conflict with the 
First Amendment right of freedom of expression and unduly infringe 
public access. In cybersecurity terms, though the GDPR creates a 
standard for cybersecurity protections of personal data, and has a 
carve out for data that must be shared for network defense purposes, it 
has had an unintended consequence in potentially rendering WHOIS, an 
important tool used by industry and law enforcement to combat online 
crime, less accessible and useful. The E.U. has also been working on a 
Cybersecurity Act that mandates a mostly voluntary certification regime 
for Internet connected devices. This law has evolved significantly with 
a lot of U.S. and other industry input and could end up becoming a de-
facto global standard.
    Other countries and regional organizations are also addressing a 
myriad of other issues including cyber breach reporting and potential 
policies around the Internet of Things. Unless these efforts are 
compatible, or at least interoperable, and unless they adopt a risk 
based approach, they will pose significant challenges for U.S. global 
entities.
Promoting a Secure and Stable Cyber Environment
    The future viability of the Internet as a platform for commerce and 
social good depends on that platform's security and the long term 
stability of cyberspace. Threats by nation states, organized criminal 
groups and other bad actors threaten to undermine government, business, 
consumer and individual confidence in the Internet and networked 
technologies. Moreover, a number of recent cyberattacks and intrusions 
amply demonstrate that malicious cyber activity can have large economic 
impact.
    With respect to cybercrime, consistent laws and strong enforcement 
are paramount. The U.S. has championed the Budapest Convention on 
Cybercrime which creates consistent substantive laws and procedures. 
Sixty countries have now joined that Convention. Russia has long 
opposed Budapest and, instead, is set to promote a new cybercrime 
convention in the United Nations this fall. A new convention will take 
many years to negotiate, be less strong than the Budapest Convention 
and will likely seek to deal with content issues that are protected in 
the U.S. More importantly, if countries wait for a new convention, it 
will undermine the real need for every country to address this issue 
now.
    On cybersecurity, it is in the U.S. interest for countries to have 
comprehensive national strategies that are drafted with multi 
stakeholder input and take into account security, economic and human 
rights perspectives and for countries to have institutions and the 
ability to cooperate with the U.S. in sharing information and 
addressing online threats. With respect to both cybercrime and 
cybersecurity, targeted capacity building is important to building the 
capability of other countries to work with us in addressing online 
threats.
    Malicious nation-state activity, such as Russian interference with 
our elections and democratic processes around the world or their 
sponsorship of the economically destructive NotPetya ransomeware worm, 
requires both a short term deterrence strategy and a long term effort 
to achieve cyber stability. On deterrence, we need to do a much better 
job of imposing timely and credible costs on adversaries, particularly 
nation states, who do us harm in cyberspace. On stability, it is 
important that we continue to advance internationally a framework of 
cyber stability that includes voluntary rules of the road, or norms, 
for nation state conduct. The U.S. has made a good deal of progress on 
that front, including getting agreement from many countries on 
voluntary norms that countries should not attack critical 
infrastructure in other countries in peacetime and should not steal 
trade secrets or intellectual property through cyber means to benefit 
their commercial sector. The Commission for the Stability of 
Cyberspace, on which I serve as a Commissioner, is a multi-stakeholder 
group that has sought to advance this work, including by proposing two 
norms: 1. That state and non state actors should not take actions that 
substantially damage the general availability of the public core of the 
Internet and 2. That state and non state actors should not allow cyber 
operations intended to disrupt the technical infrastructure supporting 
elections. Getting other countries to embrace these voluntary norms and 
a larger stability framework that includes the application of 
international law in cyberspace and certain confidence building 
measures, will pay both national security and economic dividends but 
more needs to be done.
Some Thoughts on the Way Ahead
Increased Coordinated International Engagement
    Given that every country and virtually every international and 
regional multilateral organization is now dealing with some aspect of 
cyberspace or the Internet, my overarching recommendation is that it is 
imperative that the U.S. Government and U.S. stakeholders step up 
diplomatic engagement on these issues around the world and that this is 
made a true national priority. This recommendation is also echoed in a 
number of the submissions to the recent Notice of Inquiry on 
International Internet Policy Priorities issued by the National 
Telecommunications and Information Administration (NTIA). To up our 
game on international engagement requires enhanced structure, 
resources, and a whole of government cross-cutting strategy.
    I applaud the continued efforts of my former colleagues at State, 
Commerce and other agencies, but I believe those efforts have been 
hampered by the lack of a sufficiently high-level office at the State 
Department and the recent abolition of the Cyber Coordinator position 
at the White House. On the first, as I noted above, my former office, 
among many other things, facilitated coordination across the government 
and helped provide high level representation with other governments to 
advance U.S. policies on a range of issues. I commend the House and 
Senate efforts to restore, strengthen and institutionalize my former 
office. The House passed the Cyber Diplomacy Act several months ago and 
the Senate Foreign Relations Committee recently voted a companion bill 
out of committee. I am particularly pleased that these were bi-partisan 
efforts reflecting the bi-partisan nature of most of these issues. 
Hopefully, the Department of State will take action on this matter 
soon.
    Given the cross-cutting nature of these issues, international 
engagement on them requires a whole of government approach that 
leverages not just the State Department and the Commerce Department but 
the full range of U.S. agencies in a coordinated and strategic way. In 
the past, that coordination has been significantly boosted by the Cyber 
Coordinator at the National Security Council. Though the coordinator 
sat in the NSC and had a focus on security issues, he also brought 
together and worked with other parts of the White House, including the 
National Economic Council, the Office of Management and Budget, the 
Office of Science and Technology Policy, and the interagency on a range 
of policy issues including Internet governance. Indeed, when the 
position was first suggested in the Cyberspace Policy Review in 2009, 
it was to be dual hatted between the NSC and NEC to fully account for 
the wide range of issues in cyberspace. In any event, the loss of that 
high-level position, coupled with the at least temporary demotion of my 
prior office, complicates interagency coordination and also sends the 
unfortunate signal to both our friends and our adversaries that the 
Administration does not really prioritize these issues.
    Resources are another important consideration. For example, 
assuming my old office is resurrected, it still needs sufficient 
personnel and funding to be effective. This importantly includes 
funding for capacity building that was severely cut last year. Capacity 
building can take many forms, including working with foreign 
governments and emerging leaders on aspects of Internet governance or 
regulatory policy, helping countries enact appropriate laws and 
national strategies, and working with countries to boost their ability 
to combat cybercrime and have strong cybersecurity policies and 
institutions. For a relatively small amount, targeted capacity building 
not only helps the U.S. by helping other countries gain the 
capabilities to work with us, but it also has the benefit of helping to 
win the support of developing countries for our vision of the Internet 
and cyberspace. Convincing these countries that we want to help and 
that an open, interoperable and secure Internet benefits them, is 
particularly important in enlisting their support in the growing array 
of multi-lateral bodies that are now addressing Internet and cyber 
issues.
    It is also important for the private sector, civil society and 
other stakeholders to continue to engage in these efforts and enhance 
their participation. Many companies and civil society groups already 
work in a variety of international forums and their contributions are 
invaluable. And, I fully understand there are significant resource and 
time constraints both for the private sector and especially civil 
society given the number of places discussions and decisions are taking 
place. Nevertheless, given what is at stake we must find ways to help 
increase participation.
    Finally, it is important that the U.S. has a high-level cross-
cutting, integrated strategy that leverages all relevant government 
agencies, outside stakeholders and like-minded countries to deal with 
the many challenges we face internationally and helps direct and 
prioritize our engagements. The U.S. International Strategy for 
Cyberspace issued in 2011 helped guide and integrate U.S. policy and 
agency actions across economic, security, and human rights issues. The 
overarching goal was that ``[t]he United States will work 
internationally to promote an open, interoperable, secure, and reliable 
information and communications infrastructure that supports 
international trade and commerce, strengthens international security, 
and fosters free expression and innovation. To achieve that goal, we 
will build and sustain an environment in which norms of responsible 
behavior guide states' actions, sustain partnerships, and support the 
rule of law in cyberspace.'' Much has happened since then and there are 
many new challenges. Although the current Administration, by Executive 
Order, mandated a number of important reports and recommendations from 
agencies largely related to cybersecurity, no larger or comprehensive 
strategy that, among other things, weaves those recommendations 
together, has yet been released.
Strengthening Multi-stakeholder Internet Governance Institutions
    There are a number of efforts underway to strengthen existing 
multi-stakeholder Internet Governance institutions to make them more 
transparent, effective and inclusive that we should continue to 
support. These efforts are important not only to make these 
institutions more capable but also to insulate them from those 
countries trying to impose intergovernmental control over the Internet. 
In addition, sustained and increased participation by governments and 
other stakeholders in these institutions is also important and 
increases their legitimacy. Among other things, the U.S. Government 
should work to sustain and strengthen the Internet Governance Forum. 
The IGF provides a valuable forum for stakeholders around the world to 
engage in discourse on the full range of Internet and cyber issues. 
Although its mandate was extended for ten years just two years ago, it 
has suffered from a lack of sustained funding, a decrease in attendance 
by senior government officials and the private sector, and issues 
related to its continuity from year to year. The U.S. is and should 
continue to be an advocate for this forum but should also help sustain 
and improve it. The U.S. has helped fund the IGF in the past and should 
do so again now and encourage other contributions. The U.S. should also 
encourage and help facilitate strong senior participation particularly 
by senior U.S. officials and other senior stakeholders. Moreover, the 
U.S. can play a key role in helping the IGF address any perceived or 
actual shortcoming without making it a decisional body or fundamentally 
changing its character.
Filling the Void and Showing Leadership
    If the United States wants to drive the global conversation or have 
its policies serve as a global standard it has to lead by example. That 
has been done in the past when, for example, we made cyber issues a 
diplomatic priority or when the National Institute of Standards and 
Technology promulgated their Cybersecurity Framework in partnership 
with industry and very effectively promoted it around the globe. Part 
of this is the high level international engagement I discuss above but 
part of it is promoting concrete alternatives. For example, with 
respect to privacy, the Obama Administration proposed a Consumer 
Privacy Bill of Rights and there was legislative action that was 
started, though not completed, to put them into law. Affirmative 
privacy legislation would help push back on misperceptions by some in 
Europe that the U.S does not care about privacy and can serve as an 
attractive alternative for countries who are now considering privacy 
legislation of their own. Federal data breach legislation has also 
languished for some time even though every state has their own version 
of breach legislation and other countries are moving forward with their 
own proposals. I am not suggesting legislation is the only way to show 
leadership and any legislation needs to solicit stakeholder input and 
balance potentially competing interests, but the U.S. needs to present 
an affirmative vision and concrete alternatives to policies we don't 
believe serve our interests or the interests of an open and secure 
Internet.
Accelerate Negotiations under the CLOUD ACT
    The CLOUD Act coupled with an executing bilateral agreement takes 
away one of the traditional justifications for data localization. 
Accordingly, accelerated negotiations of bilateral agreements under the 
Act should be encouraged and resourced. Of course, the countries or 
groups of countries with whom such agreements are negotiated must have 
adequate due process and privacy protections and these agreements will 
not prevent governments from mandating localization if they want to do 
so to repress their citizenry or to impose a market barriers, but the 
potential availability of these agreements can make a real difference 
with a number of partners. In addition, work should continue and 
resources should be allocated to streamline and speed up the Mutual 
Legal Assistance process.
Promote Cybersecurity, Cybercrime and Stability Efforts to Increase 
        Trust and 
        Security
    Although this may be beyond the jurisdiction of this Subcommittee, 
programs designed to increase international efforts to combat 
cybercrime and promote cybersecurity should be encouraged and resourced 
as these programs make cyberspace more profitable and secure for our 
businesses and safer for our citizens. This includes capacity building 
efforts to ensure countries have strong laws, policies and 
institutions; promotion of basic cyber hygiene measures; enhanced 
operational information sharing enabling prosecutions and enabling 
collective response to shared threats; and increased deterrence of 
malicious state actors. Finally, the U.S. should continue to 
demonstrate leadership on efforts to secure the long term stability of 
cyberspace and engage with other countries and other stakeholders on 
this important issue.
    Thank you for the opportunity to testify today on this important 
and timely issue, I look forward to your questions.

    Senator Wicker. Well, thank you, all, for this very, very 
fine testimony. It sounds like we've got some challenges and in 
that regard, Secretary Chertoff, the NTIA recently issued a 
Notice of Inquiry soliciting public comment on its 
International Internet Policy Priorities.
    In your testimony, you mentioned how so much of the 
Internet's value is in its global nature. So how do we balance 
the business needs for the free flow of data with the point you 
make about the need to protect our freedom of action which 
requires that we take greater ownership and control of our 
data, even when it is accessible to others?
    Secretary Chertoff. So I think, Mr. Chairman, you're 
referring to something in my book there.
    Senator Wicker. On Page 4 of your testimony.
    Secretary Chertoff. Right. So here's what I think in terms 
of----
    Senator Wicker. By the way, how's your book doing? Here it 
is.
    Secretary Chertoff. There is it, yes. I think it's doing 
well. You're reading it.
    Senator Wicker. Hundreds of people are watching right now.
    Secretary Chertoff. I do think that people do need to take 
ownership of their data and they do need to have more control 
over their data, particularly because so much is being 
generated now that really if we don't have some mechanism to 
assure that we have a say in what is done with it, we really 
risk our freedom.
    At the same time, I'm nervous, based on the testimony we've 
heard up to now, that the European method tends to be a little 
bit overly bureaucratic and overly heavy-handed in terms of 
regulation.
    To me, the solution is to recognize that certainly with 
most of the world that shares Western values, we have a common 
general approach and belief in the importance of individual 
freedom and individual privacy and we should acknowledge that 
and work in a cooperative way to develop a system of rules that 
honors that fundamental objective but doesn't get so 
particularistic and so heavy-handed that it actually creates 
barriers to the free flow of information.
    We've succeeded in doing this in other areas, particularly 
with the Europeans, and to echo what my co-witnesses have said, 
this does require consistent engagement by the U.S. Government 
and by U.S. civil society with counterparts in other parts of 
the world.
    Senator Wicker. Dr. Layton, you specifically testified, ``A 
popular misconception about the EU's General Data Protection 
Regulation is that it protects privacy. It does not.''
    Talk about that, and if we're going to try to negotiate 
with the EU on tariffs and preferences, shouldn't the GDPR be 
part of our negotiation?
    Dr. Layton. Short answer, yes, absolutely. Just so you 
know, the word ``privacy'' only appears about three times in 
the entirety of the GDPR, and it's specifically their version 
of data protection, and I think it's--so our--for example, you 
can go to many countries in Europe where people's mobile phone 
numbers are publicly available. Their tax returns are publicly 
available. People swim naked in public places. So we have very 
different conceptions of privacy.
    What I would like to underscore is that the GDPR is 
actually a geopolitical, not a humanitarian move. It is coming 
after 10 years of economic malaise in the European Union. There 
is deep dissatisfaction with Brussels. Less than 40 percent of 
Europeans vote in the election. So this is a reaction to that 
and I would say the Europeans that I know, they want 
prosperity. They want to move forward.
    The public opinion was not onboard with the heavy-handed 
approach that the EU took.
    Senator Wicker. I believe you said that it is not evidence-
based. Is that correct?
    Dr. Layton. That is correct. The idea of an evidence-based 
process would include a process of data and outcome. So in the 
173 provisions, you've had something over a decade of GDPR 
kinds of rules that have been in place and after a decade, what 
we can see is that only 20 percent of Europeans even shop 
outside their own country and only 20 percent of businesses are 
online.
    So the rules have not worked to increase trust in their own 
online system and that was the whole idea, that they would have 
a digital single market the way we do in the United States, and 
these rules have not helped them to achieve those goals.
    Senator Wicker. Your position is it's not good for 
Europeans?
    Dr. Layton. No.
    Senator Wicker. Is it not for Americans either?
    Dr. Layton. Absolutely. And just to share one last thing 
that's just happened, the European Soccer Leagues, they have 
now adopted a policy that they will not trade the soccer 
players and they cannot disclose the information on their 
injuries. So if you want to buy a particular soccer player, 
trade them to your team, you're not allowed to know what 
injuries they have.
    So this is also hurdling back on them, governments, as 
well. The European Governments are also liable and there's 
abuse.
    Senator Wicker. Very good. We'll probably take another 
round, if we can.
    Senator Schatz.
    Senator Schatz. Thank you, Mr. Chairman. Thanks to all of 
the testifiers.
    I'll start with Mr. Painter. You were the State Department 
Cyber Coordinator for 6 years and you described the importance 
of the position kind of as a policy and in a way in the 
abstract.
    I'm wondering if you can give me some specific examples of 
what you did that made a difference in terms of the governance 
of the Internet.
    Mr. Painter. Sure. Among other things, I think really 
central to all of this is showing U.S. leadership and building 
alliances with other like-minded countries, so that we can push 
back on a lot of the things we talked about today, particularly 
attempts by Russia, China, other countries to take over the 
Internet or to impose multilateral control over it in venues 
like the ITU, the UN, and other places.
    Getting that coalition of countries and having that 
constant interaction with them was key to doing that and that 
was the U.S. taking the lead. We weren't sitting on the back 
bench. I think that was very important.
    Also, incorporating issues around Internet governance, 
economic issues, human rights issues in every dialogue we had 
with every country. We had all these whole government dialogues 
with a number of other countries and that raised these issues, 
so they weren't stove-piped in one area or another.
    We also helped launch the Freedom Online Coalition, which 
is a group of about 30 countries, to promote freedom online and 
also working in all these different international venues, and 
we created and advanced a framework for cyber stability that 
included the application of international law, norms of 
behavior, and cyberspace confidence-building measures which 
again addresses some of the instability issues of the Internet 
because the Internet as a platform needs to be secure to really 
underlie all the commerce that we're hoping that happens 
there,----
    Senator Schatz. So----
    Mr. Painter.--and a number of other things.
    Senator Schatz. So we should re-establish the position in 
China, the statute. What else should we be doing?
    Mr. Painter. So I think there are a number of other things 
that we can be doing to promote this.
    I mean, one is, you know, to step up this whole of 
government-level engagement across the board and work with 
companies and that involves forming coalitions again with like-
minded countries who would support us, who have the same basic 
view, and engaging in that level.
    Another thing is to provide concrete alternatives. We don't 
like some of the things that are going on out there. I think we 
all agree on that, but if the U.S. isn't providing concrete 
alternatives when some of these countries or collections are 
trying to export their laws, for instance, China or even the EU 
with GDPR, if we don't have a key or an alternative that is an 
attractive alternative to other countries who are looking at 
this, they're going to adopt those standards and they're not 
going to inure to our benefit.
    So having things like there was in the Obama 
Administration, the Privacy Bill of Rights, there was some 
legislation to try to bring that forward, if we had a concrete 
alternative that really balanced all the issues that the 
panelists talked about but provided alternatives to others, I 
think that helps.
    And, you know, I think those are really some of the key 
things we could do. There are many others, but those are two of 
the important ones.
    Senator Schatz. Thank you.
    Secretary Chertoff, I think a lot of us struggle with the 
desire to look at what happened in 2016 in terms of election 
interference, especially on social media platforms, and to want 
our national security agencies and the platforms themselves and 
even voters to be more engaged so that we're not as vulnerable 
in the future.
    What we don't talk about as often is that we have to be 
pretty planful and careful and precise in terms of what model 
we establish for working with the Government to push back 
against constitutionally protected speech and that's the 
difficulty because those tools that we establish will be an 
example not just for our allies and our like-minded friends 
around the world but some of our adversaries and authoritarian 
regimes.
    I'm wondering if, you know, in the minute or so remaining 
you can talk about (a) how we strike that balance and I'm not 
sure you can answer that in a minute, so where we work on 
striking that balance to me is the fundamental question.
    Secretary Chertoff. Well, Senator, I think that's exactly 
the right question.
    Briefly, I would say this. I do think we have to be very 
protective of the First Amendment and therefore be extremely 
cautious about proposals to regulate content or say certain 
content is off limits.
    The First Amendment basically gives us freedom of speech, 
except in a very narrow category of things. Where I do think 
there's more room for actually taking some affirmative action 
is in the area of disclosure of identity about who is actually 
posting things.
    So, for example, I know there's legislation pending about 
requiring foreign entities that buy ads or otherwise pay for 
space on social media platforms. I think that's consistent with 
what we do offline and there's no reason not to do that.
    Likewise, I don't think there's any First Amendment 
protection for impersonating Americans or for bot nets or for 
automated trolling or other ways of manipulating search engines 
and those are areas I think we could quite usefully focus on, 
working together with the social media companies.
    Senator Schatz. Thank you.
    Senator Wicker. Thank you, Senator Schatz.
    Senator Fischer.

                STATEMENT OF HON. DEB FISCHER, 
                   U.S. SENATOR FROM NEBRASKA

    Senator Fischer. Thank you, Mr. Chairman.
    Dr. Layton, you had mentioned that in Europe there are some 
different expectations when it comes to privacy. I would be 
interested to know how you would define privacy in the digital 
era.
    How do we manage the privacy expectations of consumers?
    Dr. Layton. Well, I'm going to give you the research the 
Agency for Network Security actually developed and said that 
the privacy and trust is a function of four things. It's the 
level of education of the consumer or the user. It is the level 
and types of technology. It's the business practices and the 
institutions, and when you look at something like GDPR, it only 
focuses on two of the four things.
    So what I would say, if we only did one thing, we, as a 
nation or individuals, we have to do more to have people be 
digitally competent and digitally aware, and it's maybe not 
necessarily something that the Congress defines exactly what it 
is, but we have a tremendous amount of information and ability 
to communicate.
    So, for example, I want to recommend Mr. Chertoff's book, 
which I just read, and he talked about the first thing, buyer 
beware. The Number One thing in cybersecurity, you have to take 
responsibility for the platforms, the networks that you use.
    Senator Fischer. To define privacy in the era that we are 
in now, this digital era, the first thing would be buyer 
beware?
    Dr. Layton. Taking responsibility.
    Senator Fischer. It's up to each of us to figure out?
    Dr. Layton. Well, there's a gap right now. There's a gap in 
what--you know, we need to close the gap in terms of the idea 
of a digital literacy or what are the 10 things I need to know 
before I go online to protect myself and so that is the gap 
which is missing in the GDPR today. It's what the scientific 
research shows that's important and we don't even need to make 
legislation to do that. We can actually--each and every person 
can take a step up to take responsibility for what we do 
online.
    Senator Fischer. The expectation is that each individual is 
responsible and the Internet is a space where you take your 
chances?
    Dr. Layton. No, that's not what I'm saying. I'm saying the 
part of the four--the four factors that I mentioned, we're 
missing two out of the four right now. OK. So we have lots of 
regulations. We have lots of rules on businesses. OK. We have 
lots of institutions. We're missing education and we're missing 
incentives for privacy-enhancing technologies.
    So I'm trying to promote as individuals we take more 
responsibility for what we do.
    Senator Fischer. OK. Mr. Secretary, do you feel that a lack 
of any kind of unified data privacy policy could lead the 
United States to becoming more isolated?
    Secretary Chertoff. I do, Senator. I think that, first of 
all, even within the country, you know, California's now passed 
a law that deals with the issue of control of data. We could 
wind up with multistate laws that are conflicting with each 
other or at least inconsistent and certainly would be helpful 
at least to smooth it out here.
    But beyond that, to come back to the fundamental point, I 
recognize that a country like Russia or a country like China is 
going to be fundamentally different in their attitude to issues 
like controlling data and controlling information, and so 
therefore there may be limited scope for agreement there.
    But I do think with Western countries, although their 
particular approach tends to be different than ours, tends to 
be much more regulatory, micromanaging, I think the basic value 
system is very compatible and that's where I think an ability 
to reach an agreement as to what our overall objective is would 
open the door to them working on some of the differences which 
have created barriers for our businesses as well as some 
confusion about what the rules are.
    So to me, this is about ultimately how do we protect 
people's rights to make sure their data isn't being used in a 
way that's contrary to their interests or that invades an area 
that we think they ought to be in control of.
    Senator Fischer. You know, many of us on this Committee 
also serve on Armed Services Committee and we worry about the 
security of the information that agencies have and that 
agencies also share. A lot of times civilian agencies don't 
have the security, say, as the Department of Defense would 
have.
    How can we ensure that that information that's out there is 
more secure? In your role as Secretary of DHS, you were very 
involved in that. What do we as policymakers need to look for?
    Secretary Chertoff. I think the challenge here is unity of 
effort among a lot of different agencies, many of whom don't 
regard security as a core mission, and, unfortunately, Exhibit 
A is the Office of Personnel Management, which probably 
everybody in this room was a little bit of a victim of that 
hack.
    I do think the Administration has made the right decision 
in designating in terms of government security DHS as playing a 
lead role and I think it's important to make sure that the 
department has the authorities necessary to make sure that all 
the agencies live up to the requirements of basic cyber hygiene 
and cybersecurity, including continuous diagnosis and 
monitoring, response plans, and other kinds of elements of a 
layered defense.
    So that set of authorities, making sure that's firmly 
lodged in one accountable agency and that it's appropriately 
funded, I think would be a big step.
    Senator Fischer. Thank you. Thank you, Mr. Chairman.
    Senator Wicker. Thank you, Senator Fischer.
    Senator Inhofe.

                 STATEMENT OF HON. JIM INHOFE, 
                   U.S. SENATOR FROM OKLAHOMA

    Senator Inhofe. Thank you, Mr. Chairman.
    I'm glad that Senator Fischer brought up the situation on 
the Defense Authorization Bill because I see a lot of 
similarities here. In fact, we will be voting on that. The 
conference passed the House last week and we'll probably have 
it on Thursday.
    I've been watching and this does change with 
Administrations. We went through an Administration, eight years 
of the Obama Administration that, even in all fairness, really 
didn't have the priority on national defense that a lot of us 
believe it should have.
    As a result, we have some areas--I'm getting at trying to 
determine where Russia and China are now relative to us in the 
subject at hand in this Committee because I can tell you right 
now there are a lot of areas in Defense, one being in the areas 
of artillery. Artillery is measured by rapid-fire and range and 
actually Russia and China are ahead of us in both areas. 
They're ahead of us in our nuclear activities, our TRIAD, and 
this hypersonic.
    Hypersonic is the big thing that's coming into the Defense 
system because it's a system that operates at five times the 
speed of sound. So it's very significant.
    So I'd like to start off by maybe--I can ask anyone. Mr. 
Bladel, I keep hearing, and you folks are experts, but I hear 
that, yes, we're still in our areas a little bit ahead of China 
and Russia but they're catching up. Is that an accurate 
characterization?
    Mr. Bladel. Senator, thank you for the question. I think I 
probably shouldn't speak to their capabilities as state actors. 
I can say from our perspective, as a private sector company, we 
see that the largest and most frequent attacks, cyber attacks 
on our systems are originating from Russia and from China, and 
our cooperation is primarily through private sector and 
industry coalitions and coordination, both vertically and 
horizontally, throughout the technology industry.
    Senator Inhofe. You mentioned also, it wasn't in your 
written statement, when you were speaking a moment ago, that 
there are now a 120 countries that have data processing laws. 
So that means there are a lot of them that don't have those and 
we should have, you know, adequate protection, I think everyone 
agrees with that, and we're more effective with partners.
    Now the question I would ask you is we all agree that 
that's right. How do we cement these relationships with the 
partners that should be doing the job with us? What's the most 
effective thing we can do to go out and attract partners who 
would also agree that we're more effective if we do it as a 
group?
    Mr. Bladel. So, Senator, I think that point was made by one 
of the other panelists, but I'll go ahead and build on that, 
that the proliferation of different privacy regulations is 
creating confusion, it's creating friction, and it is a growing 
issue, as another one of the witness's testimony noticed, that 
the GDPR is gaining momentum or GDPR-equivalent-type frameworks 
are gaining momentum outside of Europe, and I think the answer 
is that we continue to show U.S. leadership by helping to push 
back on the differences and the inconsistencies between the 
various frameworks and focus on those areas of commonality and 
try to really around those core principles of what we believe 
to be the protection of data but allowing free flow of 
information and the conduct of commerce across borders.
    Senator Inhofe. That's good. Secretary Chertoff, you had 
made the statement that's specifically talking about the role 
of the United Nations and that Russia and China want to enhance 
that role. I think we all understand and agree with that, but 
how effectively could we try to accomplish that?
    Secretary Chertoff. I think the U.S. has generally been 
consistent in saying we don't believe the U.N. is the right 
forum for dealing with these issues, partly because, 
particularly with the Security Council, that would essentially 
politicize the process of dealing even with the technical 
aspects of the Internet, which is why, of course, the Russians 
and the Chinese want to do that.
    I think we need to continue to look to again this multi-
stakeholder model where we go to FORA, where we can engage the 
private sector, the business community, and consumers in coming 
up with proposals for how to reconcile the various interests 
that are a part of the Internet.
    Just to follow up a little bit on the prior question, a lot 
of--they used to say a lot of life is just showing up. A lot of 
dealing with these issues is showing up, by being present, by 
dealing with your counterparts in other countries.
    My experience is you will often find there's a greater 
degree of fundamental agreement than might be evident at first 
but in order to be able to have the impact you've got to play.
    Senator Inhofe. All right. Very good. Thank you very much. 
Thank you, Mr. Chairman.
    Senator Wicker. Thank you, Senator Inhofe.
    Senator Capito.

            STATEMENT OF HON. SHELLEY MOORE CAPITO, 
                U.S. SENATOR FROM WEST VIRGINIA

    Senator Capito. Thank you, Mr. Chairman. Thank all of you 
for being here today.
    I would like to say just at the onset that the Department 
of Homeland Security is in New York today announcing, I think, 
a really great move on their part, which is a new Cyber Hub to 
protect our critical U.S. infrastructure, sort of goes a little 
bit into what we're saying or a lot of into what we're saying 
today, but to be that flexus point or nexus point of the 
Nation's banks, energy companies, and other industries to help 
protect them from major cyber attacks. I want to say thank you 
to the Secretary and I know that she probably asked for your 
advice as she's moving forward. I think it's a very good thing.
    All of you have talked about the GDPR and regulations that 
have come from the EU. Some of you have addressed it in a 
problematic way. I think, Mr. Bladel, you talked about how it's 
causing you to divert assets into figuring out how to do this.
    I think, Dr. Layton, you said, interestingly, that a 
popular misconception is that it protects privacy. You said it 
does not. It is about data protection or, more accurately, data 
governance and your last statement in your written statement 
says, ``Data protection is a technical issue whereas data 
privacy is a legal issue.''
    Do you think, as we look at governance, we need to look at 
both of these issues together? If you could talk about that a 
little bit.
    Dr. Layton. Surely. I think the key difference is privacy, 
we might see in the United States as a natural right and 
something inviolable, something we're born with, versus in the 
European conception, it's a government-granted right.
    So the key difference there is, you know, what government 
gives government can take away. A key difference from the U.S. 
perspective is that our natural rights are things that are 
inherent. We don't ask anything of anyone else to have those 
rights versus a European approach is it's making requests and 
requirements of others in order to do those things. So our 
understanding of privacy is fundamentally different.
    The other aspect is amongst these 173 provisions, it's 
really a hodgepodge of essentially a laundry list of a set of 
stakeholders that want to have certain regulations to be able 
to go after American companies, to achieve outcomes that they 
could not achieve in the courts or through antitrust, and the 
GDPR itself actually reverse engineers a number to create a 
class action lawsuit culture, so that people can have standing 
in court to be able to bring lawsuits they couldn't before.
    To date, the Europeans didn't want to have the sort of U.S. 
style class action lawsuit culture, for better or worse, and 
that has changed now so that we have now the abuse of 
complaints. You could get a million complaints in a day that is 
just automatically generated.
    So there are 62 data protection authorities in the EU and 
they don't have training on how to do this. The enforcement 
will be very disjointed. It's primarily focused on U.S.----
    Senator Capito. I guess if we're looking at this in terms 
of the future, we need to look at lessons learned here as 
they've been trying to implement theirs.
    Mr. Painter, in your statement, along those same lines, you 
say that the GDPR enshrines the right to be forgotten, that 
mandates that EU individuals can force service providers to 
remove certain information about themselves.
    When I asked Mark Zuckerberg when he was in front of our 
Committee, I asked him do individuals have the right to delete 
their individual information, in other words, remove themselves 
from Facebook, personally I believe they should have that 
right, he assured me that they do have that right and that it 
does happen, but I'm still not convinced it's not out there 
somewhere and that it cannot be retrievable in some form or 
fashion.
    Do you have a statement on that?
    Mr. Painter. Yes, so I think there are positive aspects of 
deleting your data, and I do agree you should be able to delete 
your data and control your data and have access to your data 
and have transparency into your data. That's some of the data 
privacy things we should be looking at.
    What this does, though, I think, is create attention with 
the First Amendment and human rights because what it says is 
you can delete your data anywhere. You can do it perhaps as a 
public figure, other newsworthy stories that people have a 
right to consume, impacts First Amendment rights.
    So the trick is making sure you're doing this in the right 
way and the approach taken by the EU, I think, is too broad. I 
totally agree with you, though, for providers, like Facebook 
and other providers like that, it's your data and you should 
have a chance to edit it, to remove it, et cetera, and have 
access to it.
    Senator Capito. Well, it seems to be just in the general 
sense if we're going to figure out how to move forward 
internationally on privacy, there are so many conflicts and 
then we haven't even, in my questioning, you know, gotten into 
what Russia and China think your right to privacy is, which 
obviously vastly different.
    So thank you all very much.
    Senator Wicker. Before I recognize Senator Peters, was the 
GDPR a statute enacted by the European Parliament or was it 
written by a regulatory agency? I know it just went into effect 
in May. Who can answer that? Dr. Layton?
    Dr. Layton. Sure. So if you will ask Jan Philipp Albrecht, 
who's the member of Parliament who--he's called the ``Father of 
GDPR,'' he said that essentially formalized existing laws in 
the European Union.
    Senator Wicker. Of course, that's not----
    Dr. Layton. That would be parliamentary laws and then there 
would be an EU----
    Senator Wicker. Who issued it?
    Dr. Layton. The Parliament. So that's their Congress, if 
you will, the EU Congress.
    Mr. Painter. But, I mean, it's important, as I understand 
the EU regulation-making or law-making, it's the Parliament, 
it's the Council, which is all the member states, and it's the 
Commission, which is essentially the bureaucracy, and they come 
together and, in fact, they're looking at something around 
certification for cybersecurity products right now, which the 
U.S. has been engaging in.
    So this is perhaps a cumbersome process but there are 
chances for the U.S. to intervene, to have input, and we need 
to make sure that's happening.
    Senator Wicker. Would it take an act of the Parliament to 
amend or change the GDPR?
    Senator Peters, thank you for allowing me to interject.

                STATEMENT OF HON. GARY PETERS, 
                   U.S. SENATOR FROM MICHIGAN

    Senator Peters. Thank you, Mr. Chairman. Thank you for 
holding the meeting, and Ranking Member, thank you, and to our 
panelists, appreciate the discussion.
    You know, as we talk about the GDPR going into effect, we 
have to remember that the United States, if we're going to show 
some leadership, we probably should have some comprehensive 
policy regime ourselves, which we are still lacking in this 
country. It's hard to show leadership to the rest of the world 
if we can't even get our act together here in this country.
    And as all of you know, our largest tech companies are 
under some pretty intense global scrutiny right now for their 
mistreatment of data and while other countries are beginning to 
levy fines against these companies, we are just now beginning 
to ask the questions of whether or not they're too big and 
perhaps in need of being reeled in somewhat.
    So amidst some of these antitrust discussions, Mark 
Zuckerberg and other tech giants are now recognizing that 
perhaps some privacy regulation may be necessary. However, 
there still seems to be a lack of will to participate in 
productive discussions about what these regulations should 
basically look like.
    So my question to the panel is, as we talk about GDPR as it 
relates to global e-commerce and the impact that it's going to 
have on U.S. companies, from your perspective, were companies 
that were affected by regulation, were they at the table? Were 
they part of the discussion as it went forward or was their 
lack of participation resulting in why we are in the position 
that we're in today and the concerns that you've raised? We can 
start down here with Mr. Chertoff.
    Secretary Chertoff. Well, you know, I was not involved in 
these discussions, but my understanding and impression is a lot 
of these companies do have a significant presence in Brussels 
and did attempt to lobby and interact, but I think the effect 
of that is diminished if the U.S. Government's not fully 
engaged for obvious reasons.
    Senator Peters. Mr. Bladel.
    Mr. Bladel. Yes, Senator. Our company was not engaged in 
the development of GDPR. However, we were engaged as part of 
the Multi-Stakeholder Governance Forum, particularly in ICANN, 
in understanding what to do with GDPR and particularly how it 
impacted our industry.
    Senator Peters. Did you see it coming?
    Mr. Bladel. We probably had less notice than we would have 
liked, Mr. Chairman, probably about a year to 18 months in 
advance was all we received.
    Senator Peters. Dr. Layton.
    Dr. Layton. Well, first of all, I would say I have been 
very pleased by the response of Congress to look at these 
issues. I've found it has been bipartisan. I think that there 
has been a good faith effort on both sides of the aisle to 
address the issue and I'm very encouraged by that.
    What I would say about our American approach, the merit of 
it is that we have focused traditionally on sensitive 
information. We know there are things that are inherently 
sensitive, health, financial, information about children. So 
the advantage of that, well, certainly for the taxpayers' 
perspective, we focused our resources where we know there was a 
threat.
    So under GDPR world, me as an academic, I have the same 
liability as a major company. So there are concerns about small 
entities being unduly burdened and so I think that there is 
real value to the American approach we have taken.
    Ms. Zheng. So Business Roundtable represents some of the 
largest American companies, not just in the technology sector 
but across all sectors of the economy, and I would say that our 
member companies were definitely engaged in GDPR. They do have 
a presence on the ground in Europe.
    However, you know, the European Union is going to take 
their opinions with a grain of salt, right, because it's 
ultimately, you know, these are American companies, 
headquartered in the United States, American jobs. It's about 
the growth of American companies. They're willing to hear, you 
know, our concerns but I don't know how interested they are in 
addressing them.
    That said, I think that companies, you know, are very much 
willing to come to the table now and have an honest discussion 
about a national standard for data privacy in the United States 
and how to engage with the European Union and countries in 
Asia, as well, to promote an interoperable framework. So we 
look forward to working with members on that.
    Mr. Painter. And I would emphasize that word 
``interoperability.'' We're not going to change the GDPR now 
that it's in effect likely.
    However, I think it's important that we have regimes that 
are interoperable and we also put forward our own views on 
this. I think there was a lot of engagement by U.S. companies 
and U.S. trade associations, frankly the Government, too, with 
the EU to try to push back or guide this, just like we do in a 
lot of other areas.
    I think that can always be stepped up. I'll use the recent 
example--and it also reflects, I think, a view in Europe or for 
many in Europe that the U.S. doesn't care about privacy, which 
is just wrong. I mean, the FTC does probably more actual 
enforcement of privacy than most of the European entities.
    However, we need to fill that void. We need to show 
leadership in this area so there are alternatives and this 
doesn't become a global standard, and I'll use the example of 
the certification regime I talked about a little earlier. I was 
just in Europe talking to parliamentarians and others about 
that, a lot of industries over there, talking to them, and 
there has been changes in that draft law that incorporates a 
lot of the things that U.S. industry and U.S. stakeholders and 
global stakeholders wanted, making sure these are industry-
driven, making sure they're voluntary, making sure this 
reflects a risk-based approach.
    That's important. That level of engagement needs to be 
continued.
    Senator Peters. Great. Thank you for all your thoughts. 
Appreciate it.
    Senator Wicker. Thank you, Senator Peters.
    Senator Gardner.

                STATEMENT OF HON. CORY GARDNER, 
                   U.S. SENATOR FROM COLORADO

    Senator Gardner. Thank you, Mr. Chairman. Thank you to the 
witnesses for your time and testimony today.
    I had the opportunity a month ago or so to visit some 
nations in Southeast Asia. I visited Vietnam, I think it was 
the same week that they were considering legislation requiring 
data localization and what that would mean for Vietnam. I was 
trying to understand it and explain it.
    Ms. Zheng, when you talk to businesses and when they 
interact with you, do they talk about the need to share with 
foreign governments democratic values, ideals, things that we 
believe in in America?
    Ms. Zheng. Yes, absolutely, and I would add that there are 
various forums where we could be pushing that agenda more 
aggressively. So, for example, in our negotiations on NAFTA, 
digital trade should be a part of that negotiation. A lot of 
their, you know, sort of underlying open market, open data 
flows priority should be included as part of that.
    There are also other forums that we should be more actively 
engaged in, such as the APEC CVPR Forum on Privacy. OECD is 
also, I think, taking another look at their privacy principles 
next year.
    We need to make sure that not only, you know, companies but 
also the American Government, that we're fully engaged in those 
forums.
    Senator Gardner. Dr. Layton, what does a country or 
government like Vietnam, intend to do with data localization 
policies?
    Dr. Layton. I'm not sure what Vietnam has in mind but 
certainly a concern to me. I'm going to punt that question to 
another person on the panel.
    Senator Gardner. Mr. Painter, Secretary Chertoff, what does 
a China do or Vietnam do with them?
    Mr. Painter. So, you know, especially with China but 
Vietnam has some of these tendencies, too, there are various 
reasons countries have done this.
    One is to limit market access, which is a concern. One is 
for a realistic concern, which is it's very hard to get data 
for law enforcement purposes. That's addressed by the CLOUD 
Act. I think we need to do more of these bilateral agreements.
    But the third is to monitor and control their citizens 
better and Russia is a good example of this. China is a good 
example. If you have all the data there, it's much easier to 
see what your citizens are doing, to monitor them, to have 
mandatory data turnover legislation to make sure that the 
intelligence and other services have access to it. That's often 
what the goal is and that's harder and that's why we also have 
to push back on this human rights agenda along with the 
economic agenda.
    Senator Gardner. I think that's exactly right. Secretary 
Chertoff, what role then should the U.S. businesses play 
because a lot of these telecom companies will be involved--
excuse me--technology companies will be involved in the buildup 
of a localization or data center? So how does--what 
responsibilities does U.S. business have then at that point? 
How do you balance the need for economic opportunity and growth 
and market access with the fact that a government that may be 
using it to target individuals within its own country?
    Secretary Chertoff. You know, I think that's a challenging 
ethical problem for companies. It's a little bit like the issue 
about whether you furnish intrusive surveillance technologies 
to countries that are going to use it to oppress their own 
citizens.
    Now, on the one hand, I think some companies take the view 
that if you're--as long as we're talking about China's desire 
to have data about Chinese citizens held in China, that that's 
really a matter for the Chinese and they're agnostic. Others 
view that as enabling something that they see as inconsistent 
with the culture of openness and they withdraw.
    So I do think that we need to think very carefully about 
the extent to which we enable the kind of behavior on the 
Internet that's really fundamentally inconsistent with our 
values.
    Senator Gardner. You mentioned in your testimony a Cyber 
NATO. Could you talk a little bit more about that?
    Secretary Chertoff. Yes. I think, you know, we have a 
regular NATO, which I do think has a cyber dimension, but I 
think it's Toomas Hendrik, the former President of Estonia, who 
has talked about really having a community of like-minded 
nations that would defend our cyber assets against attacks and 
not necessarily rising to the level of war that would get into 
Article V but even something less than that, something that 
attempts to manipulate the political process or engages in 
systematic espionage or things of that sort.
    Senator Gardner. So, Mr. Painter, when SISA passed the 
Congress, I included legislation that required a U.S. cyber 
diplomacy strategy. You were there. We had a lot of 
conversations about it at the time.
    So given this need for a Cyber NATO or at least this idea 
of a Cyber NATO kind of approach, given the idea of a need to 
have more agreements with like-minded nations as it relates to 
cyber behavior data issues, et cetera, are we on the right 
strategy? Do we need a new strategy? Where are we?
    Mr. Painter. So I very much worry that it's not being 
prioritized, that we're not showing the kind of leadership from 
the top that we need to do, and, you know, there was a lot of 
work we did really starting this issue from the ground up 
because it wasn't really a diplomatic issue before and just a 
number of years ago it was established as one.
    We were the first office in the State Department that did 
this. Now 26 other countries, including China and Russia, have 
those offices. But I think it's important to always look and 
revise the strategy we have and make it stronger and that 
strategy not only helps direct the efforts of the particular 
agency but really across the Government and other stakeholders 
so they know where we are and other countries and so there have 
been a number of things that were ordered as part of an 
Executive Order early in the Administration on cybersecurity 
issues.
    We still haven't seen the strategy come out of that. We 
haven't seen a comprehensive strategy of how you pull all these 
agencies and others together. Obviously, you know, the 2011 
International Strategy was a good document but that was 2011. 
Things, you know, have continued to advance. So we need to make 
sure we're fine-tuning and prioritizing.
    I'd say one other thing we did in the State Department is 
we had every regional bureau did engagement strategies around 
all these issues and we had two versions of them to really 
fine-tune those efforts. That needs to be done, too.
    Senator Gardner. Do we need an ambassador, cyber Ambassador 
at State Department?
    Mr. Painter. I think we do. I mean, I'm very supportive of 
the Cyber Diplomacy Act. I testified in the House about it. I 
think it's a really good approach. I hope it passes this 
Chamber, as well. I think it really will help elevate our game 
and I think that'll be important and it's not just the 
Ambassador position. It's really the structure that gives this 
heft and priority.
    Senator Gardner. Thank you. Thank you, Mr. Chairman.
    Senator Wicker. Are the panelists all in agreement on the 
concept of a Cyber NATO? Does anyone wish to take issue with 
that?
    [No response.]
    Senator Wicker. No one steps up.
    Mr. Painter. I think it depends on how it's formed. I mean, 
I know Toomas Hendrik is a friend of mine, as well, and it just 
depends on the details and how this gets put but certainly the 
idea of having like-minded countries come together in the 
common defense against shared threats, that's an important 
concept.
    Mr. Bladel. And based on that description, it's something 
that would be interesting but we haven't formed any sort of a 
position on that yet. We're just hearing about it.
    Senator Gardner. Mr. Chairman, it surprises me we don't 
have such a thing. I mean, why don't we have it? What's the 
closest thing we have to such an agreement?
    Secretary Chertoff. NATO does actually work together. They 
have Center of Excellence and they do----
    Senator Gardner. Right.
    Secretary Chertoff.--address this issue. Now the issue 
becomes, I think, in part at what stage you reach the level of 
actually invoking Article V and whether that needs to be 
somehow adjusted in the context of cyber activity.
    I will say that in 2007, when I was Secretary, we did work 
with Estonia when they were attacked by the Russians with a big 
denial of service attack. So I don't think this is a big 
stretch. It may just be more a question of kind of formalizing 
what has been operating for awhile.
    Mr. Painter. And it could be also upping NATO's game more 
on this. I mean, I think NATO has done a lot of things. Cyber 
is one of the key concepts of NATO and that was back now about 
seven or 8 years ago and in the last few communiques from NATO, 
cyber has played a key role. There's a lot of focus on both 
defending NATO countries' assets but also what they can do in 
terms of responding to threats and then part of this is going 
to be beyond NATO.
    If we're going to impose costs on adversaries, like Russia, 
that's going to be us working with other allies. It's not 
necessarily going to be all of NATO but there's going to be a 
subset of us and we need to be able to do that.
    Senator Wicker. Important testimony. Thank you, Senator 
Gardner.
    We now have Senator Hassan.

               STATEMENT OF HON. MAGGIE HASSAN, 
                U.S. SENATOR FROM NEW HAMPSHIRE

    Senator Hassan. Well, thank you, Mr. Chair, and thank you, 
Ranking Member, for this hearing, and thank you to all of the 
panelists for being here today.
    I want to just start with a question to you, Secretary 
Chertoff. On the topic of cybersecurity, I want to address 
Russia's ongoing attacks on our election system and our 
electrical grid.
    Last week, the Wall Street Journal published a story that 
stated that Russia's military and intelligence had consistently 
sought to hack U.S. utilities and critical infrastructure. In a 
few instances, Russia's state-sponsored hackers even gained 
access to the utility control systems.
    As one DHS official stated, this is a quote, ``The Russian 
hackers got to the point where they could have thrown 
switches.'' The Russian penetration of one of our nation's most 
important utilities certainly conjures up fears of a Russia 
cyber attack that would leave American communities without 
electricity for days, weeks, or even months.
    While serving as Secretary, Mr. Chertoff, you helped stand 
up to the National Protection and Preparedness Directorate, 
NPPD, at the Department of Homeland Security, which is charged 
with defending against cyber attacks and strengthening the 
security around our Nation's critical infrastructure.
    Given your history with this mission, could you please 
discuss how DHS can better defend against these Russian attacks 
on our utilities and what sort of tools and relationships are 
needed to stop these attacks?
    I know there was a discussion about this new hub that 
they're thinking about and it sounds to me like a good first 
step, but what should we be doing?
    Secretary Chertoff. So I agree, I think this hub is a good 
first step. You know, when I was in office, we actually talked 
about co-locating the principal actors in the private sector 
critical infrastructure together with our government officials 
so we could really work in real time in identifying threats.
    We're not there yet but I think this is a good step 
forward. I would continue to press that as well as giving 
clarity to some of the elements of critical infrastructure 
about exactly what they need to do.
    One of my recommendations has been to take the Safety Act, 
which applies in giving liability protection for certain 
counterterrorism technologies and extend that to cybersecurity, 
so you'd create economic incentive for companies to invest in 
processes and technologies that would lower their risk of 
cyber. So I think that's one area we ought to be focused on.
    The second, candidly, is we need to have a clear doctrine 
about how we respond to various kinds of intrusions by enemy or 
adversary nations into our critical infrastructure.
    You know, we know what we did in 1963 during the Cuban 
Missile Crisis when missiles were positioned in Cuba. What 
happens when malware's positioned in critical infrastructure? 
Do we treat that as espionage and reconnaissance? Do we treat 
it as positioning a potential weapon?
    I think we need to have clarity and a discussion about what 
our strategic response is to these varying levels of threat. I 
know in the NDAA there's a provision for a Project Solarium in 
cyber which would be the equivalent of what we did after the 
invention of the Atomic Bomb to develop a doctrine, and I think 
having a doctrine and having a strategy and a set of rules of 
engagement would go a long way in creating some element of 
deterrence to what right now, I think, is a very ambiguous and 
challenging environment.
    Mr. Painter. If I could say one thing on that?
    Senator Hassan. Sure.
    Mr. Painter. I think there's a critically important part 
that's missing. We don't even have a declaratory statement that 
things like Russian interference in our election, the big 
NotPetya Worm that caused economic damage with its 
prepositioning is something we're going to take action on and 
impose costs on. We need to do that. We need to do that now.
    Senator Hassan. Well, that's very helpful, and on the issue 
of the private-public not only interaction and partnership 
being important, it's something that I agree with you on and 
that's why today, Senator Portman and I are introducing a bill 
that would establish the DHS Cyber Incident Response Team Act 
and it would authorize in law DHS's Cyber Hunt and Incident 
Response Team and allow select private sector cyber experts to 
participate in these teams. So we're trying to move this 
forward.
    I appreciate that insight very much. I also take to heart 
the point about having a doctrine and really treating cyber 
attacks as the threats that they are and the attack on our 
country that they are.
    Mr. Chairman, I'm just about out of time. So I will yield 
it back. Thank you very much, and thank you all to the 
panelists again.
    Senator Wicker. We didn't have a doctrine in 1963 until it 
happened, did we, Secretary Chertoff?
    Secretary Chertoff. In 1963, what we relied upon was the 
view that essentially positioning missiles very close to the 
United States was sufficiently a war-like act that we could 
engage in a blockade. I think we called it a quarantine to kind 
of fuzz it up a little bit, but I think it relied upon 
principles in the physical world that were relatively well 
accepted.
    It gets much more complicated in cyber because, first of 
all, people loosely use the word ``attack.'' Sometimes it just 
means espionage, which we've never regarded as an act of war. 
Sometimes it means literally something that could result in 
loss of life, which is unquestionably an act of war, and then 
you have this middle position.
    So this is, I think, a much more ambiguous set of 
circumstances than the physical world.
    Senator Wicker. Thank you very much.
    Senator Udall, you've been very patient. Senators have come 
and gone and you've stayed here.

                 STATEMENT OF HON. TOM UDALL, 
                  U.S. SENATOR FROM NEW MEXICO

    Senator Udall. Thank you, Chairman Wicker.
    Senator Wicker. You're recognized for five and a half 
minutes.
    Senator Udall. Thank you. Thank you, Senator Schatz. 
Appreciate the panel being here today.
    As a member of the Foreign Relations Committee, I'm 
particularly concerned about how powerful tech-savvy countries, 
like Russia and China, limit access to the Internet in their 
own nations by banning and controlling any dissent online while 
simultaneously using the same banned platforms, like Facebook, 
to sponsor and promote disinformation in the West and in the 
U.S.
    We are now all too aware of Russia's pervasive misuse of 
social media in our 2016 election and the Brexit vote in the 
U.K. The U.S. has a critical role, I think, as all of you have 
been talking about here, to play in ensuring that we are 
deterring this kind of state-sponsored disinformation campaign 
while promoting an open and global Internet.
    Russia's, and I guess this first question but others can 
comment, as Mr. Chertoff and Mr. Painter, Russian militia cyber 
activity remains a national security threat, no doubt about 
that. They attacked our 2016 election and sponsored the 
destructive NotPetya malware.
    What are the most important actions our Government should 
be taking to deter Russia from this type of malicious activity? 
Just focus on, say, one or two or three like that, I think 
would be good.
    Secretary Chertoff. Well, I think when you deal with 
ransomware, particularly ransomware that can potentially affect 
industrial control systems and have an impact on human life, I 
think that deserves the kind of response that we would do with 
respect to a physical attack that might have a threat to human 
life, which means we have to have the ability to respond either 
in kind or in another way to deter that.
    When it comes to information operations, which, to be 
honest, go back a hundred years to the Comintern, when the 
Soviet Union existed, I don't regard that as an act of war. I 
do think it's a matter where there are things we can do in 
terms of calling out who's really responsible for putting posts 
up or things like the Internet Research Agency in St. 
Petersburg where they use armies of trolls to drive stories, 
but I think legally as well as in terms of our, in general, set 
of values, we don't want to actually censor content, even if we 
know it to be untrue and false because the cure for falsity 
tends to be truth and once you go down the road of censorship, 
it doesn't really stop.
    Mr. Painter. And I would add to that, I think that, you 
know, we've seen a lot of malicious activity from Russia and 
the DNI has said that Russia is one of the foremost damaging 
cyber actors or capable cyber actors, China, Russia, North 
Korea, and Iran, but Russia really at the top, and Russia has 
hit us in a variety of ways, including NotPetya, including the 
election interference, including this prepositioning, and yet 
we haven't really done anything to affect Russian's calculus in 
any event.
    And so we obviously don't want to be overly escalatory. 
We're not going to shut off the lights in Moscow, for instance, 
but we should do something that will actually affect Putin in 
his decisionmaking in the future and there has been this effort 
now to call out things. There has been a NotPetya. A number of 
countries got together and I think that's good to build those 
alliances and have countries to come together and say that 
Russia was responsible. Great. But you're not going to name and 
shame Russia. You actually have to do something that's going to 
have an effect and that goes to the doctrine question.
    And then, also, I would think in the U.S., there are other 
things we could be doing, like having a task force, a high-
level task force to deal with election interference. As a cyber 
guy, I don't think we really saw this coming. We saw threats to 
infrastructure. We saw espionage, but this hybrid attack is 
something that requires a real concerted approach.
    The declaratory policy I talked about is important, too, 
and, look, we can do the sanctions. We can do all the tools we 
have, diplomatic sanctions, law enforcement, and others, but if 
we don't have high-level messaging and consistent messaging 
from the top, that undercuts all those efforts.
    So if you send a message that this is unacceptable and then 
send a message, well, maybe it's OK, that just undercuts 
everything we're doing.
    Senator Udall. Mr. Chertoff or any of the other panelists 
want to weigh in on that?
    Dr. Layton. So I wanted to say thank you for bringing up 
this concern and I certainly agree with the panelists.
    What I just want to emphasize, I think when you--we can 
think about the threats to our security, not just from--maybe 
from military, but there are economic threats, and if I have 
any bit of advice for Congress, I think we haven't paid 
attention to the rise of Chinese platforms.
    Two years ago, the Chinese app market exceeded the United 
States in revenue and downloads and I know a lot of people who 
already use the Chinese versions of Amazon and Google and so 
on, and they don't want to open their markets to the United 
States. They want an indigenous technology strategy, but they 
want to come and take our markets.
    So I would like to put up that the threat of China from an 
economic perspective for our digital economy is just as great 
as the cybersecurity threat from Russia.
    Senator Udall. Do I still have my 30 seconds?
    Secretary Chertoff. Could I just add one other thing I 
think we need to focus on? The Chinese have indicated that in 
the next few years, they want to become global leaders in 
artificial intelligence. The way you build artificial 
intelligence or machine learning is with data and it's not a 
surprise that we've seen some incredibly large data thefts in 
the last few years, like the OPM theft, Yahoo, one of the other 
credit companies, but I think we need to be mindful that these 
kinds of data thefts, while they may not seem that critical, 
actually can be feeding a very significant growth in artificial 
intelligence capability which may be what we're talking about 
in a committee like this in 5 years.
    Senator Udall. You mentioned, Mr. Chertoff, on the 
misinformation and the answer is truth. We should be mindful 
because the frustrating thing is there's an old saying in the 
West. The lie gets halfway around the world before the truth 
puts on its boots. So we need to realize by being open like 
that, we're also taking a hit at the front end but we have 
faith that it will prevail in the end, that the truth will 
prevail.
    Thank you very much. Thanks to the panel.
    Senator Wicker. Senator Markey, are you ready?
    Senator Markey. Ready to go.
    Senator Wicker. Jump in front of Senator Cantwell.

               STATEMENT OF HON. EDWARD MARKEY, 
                U.S. SENATOR FROM MASSACHUSETTS

    Senator Markey. It's a privilege to be at such an important 
hearing today and, Mr. Painter, in your written testimony, you 
state that, ``The future viability of the Internet as a 
platform for commerce and social good depends on that 
platform's security and the long-term stability of 
cyberspace.''
    I share your belief in the importance of cybersecurity and 
I'm particularly concerned about cyber threats of the IoT, the 
Internet of Things or the Internet of Threats, which it is 
simultaneously, where our devices, our appliances, our machines 
all connect with one another.
    Mr. Painter, the EU is currently considering a 
cybersecurity act, which would create a single cyber-security 
certification standard for information and communication 
technology devices.
    I have introduced similar legislation in Congress, the 
Cyber Shield Act. My bill would establish an advisory committee 
of cybersecurity experts from academia, industry, consumer 
advocacy communities, and the public to create cybersecurity 
benchmarks for IoT devices, such as baby monitors, cameras, 
cell phones, laptops, and tablets.
    IoT manufacturers can then voluntarily certify that their 
products meet those industry-leading cybersecurity and data 
security benchmarks and display the certification to the 
public.
    Mr. Painter, are you supportive of establishing voluntary 
standards like this in order to inform consumers and catalyze 
industry investment in cybersecurity?
    Mr. Painter. Senator, I think the U.S. has a history of 
advancing these things, NIST, for instance, with a critical 
infrastructure, the NIST Framework.
    I think in this area, this is a lot like a UL----
    Senator Markey. UL?
    Mr. Painter. Underwriters Laboratory on electric devices, 
and I think it has a lot of merit. I think it makes a lot of 
sense, particularly if you look at a couple things.
    One, voluntariness, two, built with the industry that it's 
meant to apply to, so the industry and it's not a one-size-
fits-all and I don't read your bill to be that. I read your 
bill to be built with industry, with this advisory committee.
    I think also it needs to be risk-based, so you're not 
necessarily prescribing a particular technology but you're 
looking at what the risks are. I think all those are good 
things.
    I think there are a lot of comments that the U.S. 
stakeholders have had in the EU Cybersecurity Act that they've 
taken. The one thing I'd also be cautious of is to make sure 
that it's not creating a conflicting regime with what's being 
done in the EU but at the same time, I think would show U.S. 
leadership because a lot of countries are thinking about this.
    I know Singapore and a number of other countries are 
creating consortiums and other people to look at IoT regulation 
and artificial intelligence regulation.
    I know DHS and Commerce put out some principles on this 
about a year and a half ago, but I think this kind of voluntary 
regime built with industry has a lot of merit.
    Senator Markey. Do any of the rest of you agree that a 
voluntary regime could work in the United States using that 
kind of framework? Yes, Mr. Secretary.
    Secretary Chertoff. I agree with that and something I 
suggested a little bit earlier might also be relevant here, 
which is to take the Safety Act concept, which we use with 
respect to counterterrorism technologies, and apply that over 
here, as well, because it creates an economic incentive to get 
the certification since the Safety Act caps liability and 
damages. So I think that kind of approach would be very 
worthwhile.
    Senator Markey. Thank you. Ms. Zheng.
    Ms. Zheng. I was just going to add, I think I want to 
reiterate on Chris Painter's point, which is interoperability 
is a key issue here.
    One concern is that if there is a voluntary regime here in 
the United States for IoT that dictates how IoT products are 
designed or developed or maintained, that other countries would 
also feel that that gives them license to develop their own 
national approach and there again you have tremendous 
fragmentation.
    So, you know, I'm happy to hear that the approach that 
you're thinking is inclusive of industry and developing it, but 
I think that fragmentation concern is real.
    Senator Markey. Mr. Painter, if I may, Secretary Tillerson 
chose to downgrade the cyber coordinator position, your former 
position, last year, even as we know there's an intensification 
of cyber attacks on our country. We know that there is 
malicious cyber activity coming from North Korea, from Russia, 
from China, from other places.
    What's your recommendation as to what our Government should 
be doing in order to elevate rather than downgrade this role?
    Mr. Painter. So I think the threats are only increasing. 
The policy threats are increasing. The technical threats are 
increasing. The actors that are attacking us, whether they be 
transnational or organized criminal groups or nation states, 
are increasing.
    We have to make this a national priority. We can't afford 
to demote this issue or make it a boutique issue that's only 
dealt with it by the cyber people. This has to be an engrained 
national priority from this Administration, from every 
Administration, and I think downgrading these roles and 
downgrading the roles at the White House sends the wrong 
message to both our friends and our adversaries. We need to 
lead in this area.
    Senator Markey. Yes. I hear you. I think the Trump 
Administration made a big mistake. We will in fact put the laws 
on the books that we need. I'm afraid it's just going to come 
after we have a catastrophic event in our country and then 
everyone will say who knew this could happen. We know this can 
happen. That's what you're testifying today. We should put the 
preventive laws on the books.
    Thank you, Mr. Chairman.
    Senator Wicker. Thank you very much, Senator Markey.
    Senator Cantwell.

               STATEMENT OF HON. MARIA CANTWELL, 
                  U.S. SENATOR FROM WASHINGTON

    Senator Cantwell. Thank you, Mr. Chairman, and thanks for 
having such an important hearing, and I really appreciated the 
testimony of the witnesses. You've all said very illuminating 
things as it relates to our challenge as a nation, both on the 
commercial side of working together on tightening up where we 
are and certainly, Mr. Chertoff, talking about the attacks to 
the grid and the large-scale efforts on things like Ukraine can 
be very devastating to the United States, and, Mr. Painter, 
thank you for articulating that we need to be doing much, much 
more than we're currently doing.
    That's why last week, my colleague and I, Senator Graham, 
sent a letter to the President saying please step up, both on 
the assessment side and the resource side because this is a 
pretty big issue.
    But one thing I wanted to ask about, writ large, given all 
of your testimony, because I agree, I don't think provocation 
comes anymore with a foreign sticking its, you know, nose in 
U.S. waters or a plane flying over. I think provocation comes 
from, you know, this kind of hacking of a power plant or a 
pipeline or something of that nature that we are seeing in 
other parts of the world.
    So I think this debate has gotten a little off course as it 
relates to what we do and what other people do and I just want 
to be clear since you're all articulating an international 
focus.
    Should it be clear and should the United States lead such 
an effort that any attack on an election system, that is the 
actual system itself, to interfere with an election, should be 
something that we should unite the entire world, that that is a 
cyber crime, and should be prosecuted?
    Mr. Painter. Well, we saw two aspects of this. One, the 
attempted attack on the election infrastructure itself and also 
the influence operations, so we meet those in two different 
ways.
    But, absolutely, if you look at critical infrastructure, 
yes, we're working about prepositioning on power grids and 
other things, but if there's an attack that really undermines 
the democratic foundation of our system, that's a huge deal and 
we need to take that seriously.
    In this Commission that both Secretary Chertoff and I are 
on, this Commission for the Civil Society, we just recently 
released a proposed norm for governments and others to take up, 
which is exactly that, you should not attack the systems, the 
devices, the mechanisms that are used for elections, for 
democratic and other elections, and I think that's a key thing.
    So, absolutely, and I think that's one of the things we 
should continue to have discussions with other countries on. We 
know that the Dutch, we know the Germans, the French, and 
others have also and the Estonians and almost all the Baltic 
countries have seen this. So it is absolutely a big deal.
    Senator Cantwell. Is everybody else in agreement with that?
    Dr. Layton. What I would just like to add, I really welcome 
that Congress is taking the concern, taking this up, but what I 
think it's important to say that there has been desire by other 
countries to influence our elections for decades.
    So, you know, this isn't the first time it's happened. I 
think it's great that Congress responds now but this has been 
going on for a long time and just to pick up the point, I 
applaud that Congress is going to pick up legislation to look 
at particular areas we need for cybersecurity.
    Senator Cantwell. No. I'm asking you whether you believe in 
an international--that we should be leading the charge 
internationally to say that anybody who tries to influence with 
the election process in a cyber way is a cyber crime and that 
we should unite the world against that? That's what I'm asking.
    Dr. Layton. OK. No, what I would like to express to you is 
I think that the cyber concern has been maybe for 25 years now 
and we have been slow to fully integrate it into the military.
    So I don't think we need to make the silo. I think it 
should be fully part of the military from the ground up. So I 
don't need to have to call it that and so there has been some 
resistance because of maybe the way the established Defense 
Departments are. They have their turfs that they have been 
reluctant to bring cyber in and integrate it as they should.
    Senator Cantwell. Trust me, that's why I'm working with 
Senator Graham, because the two of us are going to keep 
focusing on this.
    Mr. Chertoff.
    Secretary Chertoff. I have to say I completely agree that 
we ought to work with all of our like-minded colleagues 
overseas to see that interfering with the actual infrastructure 
of elections is completely off limits and unacceptable.
    The information operations gets challenging because while 
we should resist them, we need to be careful how we articulate 
it because if you go to Moscow, they'll say, great, let's get 
rid of, you know, the National Endowment of Democracies and, 
you know,----
    Senator Cantwell. I agree. That's why I'm bringing this up, 
Mr. Chertoff, because I do not want to lose action on the first 
part.
    Secretary Chertoff. Correct.
    Senator Cantwell. And we should be leading the charge. No 
government should be involved in interfering with the actual 
election operations. End of story. We should be leading the 
charge, but there are some people running around this town 
basically saying, oh, well, there's this other stuff and we all 
do it and we should let this go. We should not let this go, so.
    Secretary Chertoff. I agree with you. They're totally 
different. We should not blur the lines in a way that blunts 
our ability to respond.
    Senator Cantwell. Thank you, Mr. Chertoff. Thank you.
    Senator Wicker. Thank you, Senator Cantwell.
    Senator Cruz.

                  STATEMENT OF HON. TED CRUZ, 
                    U.S. SENATOR FROM TEXAS

    Senator Cruz. Thank you, Mr. Chairman. Good morning. 
Welcome to each of the witnesses. Thank you for being here.
    Dr. Layton, this past January, as you know, a memo leaked 
from the National Security Council which called for 
nationalizing the 5G Mobile Broadband Networks and since then, 
the Administration has been less than clear in rejecting that 
idea.
    I and many members of the Senate consider that to be a 
profoundly bad idea. That's why Senator Cortez Masto and I 
together introduced the E-Frontier legislation last week, which 
would prohibit the Federal Government from nationalizing our 
Nation's commercial telecommunications network without 
authorization from Congress.
    Dr. Layton, in your judgment, what would it mean if the 
Federal Government were to nationalize our Nation's 5G 
networks?
    Dr. Layton. There would be a disaster. I saw the press 
release today, and thank you and Senator Cortez Masto for your 
leadership. It certainly helps me sleep well at night.
    But I would say if there's one point that we know in 
telecommunications policy that we have evidenced over and over 
again is that governments should not be running the 
telecommunications network. It has been a colossal waste of 
money, colossal waste of energy, and it's not where we should 
put our resources, particularly when we have private companies 
who are willing to put up $300 billion to have all kinds of 
competitive 5G networks. So it's not where we should put our 
money.
    Senator Cruz. In your judgment, is the E-Frontier Act the 
right direction for this committee and Congress to go?
    Dr. Layton. Absolutely.
    Senator Cruz. Does anyone on the panel disagree? Does 
anyone think that the Federal Government nationalizing 5G is a 
good idea?
    [No response.]
    Senator Cruz. Secretary Chertoff, what are your thoughts on 
the implications, if the Government were to try to nationalize 
5G?
    Secretary Chertoff. Well, again, I'm not sure exactly what 
that would look like. I'm not sure exactly what that would look 
like, but, in general, I think nationalization of a function 
like that stifles innovation and puts the Government in a 
position which overreaches in terms of what its proper role is.
    Senator Cruz. Mr. Bladel, there has been considerable 
attention devoted in Congress and in the national discussion to 
the role of tech companies and social media companies engaging 
in political censorship.
    What do you think the role and what does GoDaddy think the 
role should be of tech companies censoring the speech of 
others?
    Mr. Bladel. So thank you, Senator. I can't speak for the 
entire industry but from GoDaddy's perspective, we do not want 
to be an arbitrator of free speech. We don't believe that's an 
appropriate role for us as a private sector company. We are 
supporters of an open Internet that supports free expression 
and welcomes all views.
    That said, we do have Terms of Service for using our 
platform for communication and there are some very specific 
cases that would cause us to suspend or terminate service, 
illegal activities, threats of violence, and pharmaceutical 
sales and things that are called out in our Terms of Service.
    So any content complaints that we receive are subject to a 
case-by-case review and then we decide according to our Terms 
of Service, but as a private sector company, we do not want 
that role.
    Senator Cruz. So I think you would not find disagreement 
when it comes to shutting down criminal enterprises conduct 
that clearly violates criminal law. What does obviously raise 
questions is when it's not criminal conduct, it is simply 
content that may be offensive, that may be wrong, but that is 
not illegal, and then the question becomes who should be the 
gatekeeper. Who decides what speech is permissible and what 
speech is not.
    Have there been instances in your company's history where, 
because of disagreement with content, you have shut down access 
to a website?
    Mr. Bladel. So typically as part of that review, the 
content would have to contain illegal materials or rise to the 
level of a direct call for or threats of violence for us to 
take action.
    Senator Cruz. You obviously operate within the tech space. 
Should social media companies, in your judgment, be neutral 
public forums? Should they respect First Amendment principles 
and allow, as John Stuart Mill put it, the cure for bad speech 
to be more speech rather than a priori censorship?
    Mr. Bladel. So in my view, and I think this is shared by 
GoDaddy and other companies in our space, is that we want the 
Internet to be as open and welcoming as possible for free 
expression and that it's not the role of the platform to judge 
content on whether it's offensive or whether it's allowable. It 
should only be on those narrow cases of illegal materials.
    Senator Cruz. Thank you.
    Senator Wicker. Thank you very much, Senator Cruz.
    Senator Klobuchar.

               STATEMENT OF HON. AMY KLOBUCHAR, 
                  U.S. SENATOR FROM MINNESOTA

    Senator Klobuchar. Thank you very much, Mr. Chairman. Thank 
you to all of you.
    We have a Judiciary hearing going on. So I just snuck down 
here and I want to thank you for your work.
    As many of you know, I've worked, because of my role on 
Judiciary and Rules and this Committee, I've worked really hard 
on this issue and I really see this, what happened to us in the 
last election, as a cyber attack and there are plenty of good 
issues that were raised here by my colleagues about the power 
grid and other things, but I want to focus on this, and I'll 
start with you, Mr. Chertoff.
    I know you mentioned the bill I have with Senator Lankford, 
the Secure Elections Act, which would basically streamline 
information-sharing between Federal and State agencies. It was 
quite an outrage that our 21 states that were hacked and too 
many of them didn't find out for a year and that way they can't 
protect themselves because they don't know what other hack was 
going on in another state.
    So my first question is, do you think our states are 
adequately prepared? You know, we got the $380 million out in 
the last budget agreement, and what else should we be doing to 
protect our voting equipment?
    Secretary Chertoff. Well, I think there's greater 
understanding now they have to get engaged and they have to get 
engaged with DHS.
    When I was at Aspen a couple weeks ago, I mean, the word we 
got from DHS was that all the states to some degree are 
engaging now, but to be honest, this ship is going to take 
awhile to turn around.
    You've got aging infrastructure in many places. I think 
some states are not even fully aware of how much they're 
connected to the Internet.
    Senator Klobuchar. You also have 14 states that have either 
no paper ballot or partial paper ballot.
    Secretary Chertoff. Right. And that's going to require a 
change in equipment and change in protocol.
    So the short answer is we're not where we need to be. We're 
moving in the right direction. We ought to press the 
accelerator on this. I don't know that we're going to have this 
problem fixed by 2018. I would be very doubtful, but certainly 
we're going to have elections in 2020 and by then, we should 
have had the problem fixed. So we've got to step it up.
    Senator Cantwell. And what's Microsoft's Defending 
Democracy Initiative doing to help state and local officials?
    Secretary Chertoff. What they're trying to do is, and I 
think it's a relatively new initiative, is work with a lot of 
different groups to both help people understand what the 
threats are--I mean, I think at a public forum we had in Aspen, 
they indicated that in fact they identified some candidates 
whose databases had been hacked.
    I think raising awareness, sharing the information about 
technical solutions, and working both in terms of raising the 
game on infrastructure protection and more generally on 
information operations. They're looking at kind of supporting 
all these efforts.
    Senator Klobuchar. And then also on the front of the 
political ads, as you know, it wasn't just about elections and 
candidates, it was also disrupting democracy with issue ads. 
That's why I've introduced the Honest Ads Act with Senators 
McCain and Warner.
    Do you agree that it's important that we have uniform 
standards across platforms for these ads?
    Secretary Chertoff. Yes. Absolutely. It's crazy to say that 
we can require for television ads or newspaper ads but not to 
do it for platforms, and let me just add one other thing. This 
is not just about elections.
    I think that we are seeing and will continue to see Russian 
efforts to motivate people to have civil disorder where they 
get both groups on the right and the left to come to the same 
place and they try to gin up violence.
    Senator Klobuchar. Thank you. Those are the issue ads that 
are included in our bill but some of the platforms are saying, 
well, we should just do candidate ads, which is not the 
standard for radio or TV or newspaper, and we've seen what they 
were doing in energy issues and other things where they 
actually had a financial interest, Russia did.
    Secretary Chertoff. Yes.
    Senator Klobuchar. And I think they've been overlooked 
because of the obvious focus on the 2016 election.
    Secretary Chertoff. That's exactly right.
    Senator Klobuchar. OK. Dr. Layton, my last question here. 
Over the last few years, we've seen personal information be 
disclosed. We are proud of our social media and Internet 
companies in the U.S. They're incredibly innovative and a lot 
of smart people are working there, but yet even Mr. Zuckerberg 
at his hearing has said that we need to put some rules of the 
road in place. They don't have to be exactly what Europe did. 
We can do our own.
    Could you comment on the Social Media Privacy Protection 
and Consumer Rights Act that Senator Kennedy and I introduced?
    Dr. Layton. Well, you know, I want to applaud you for your 
leadership and I think if anybody thinks Congress is not up to 
task, you've proven them wrong. You know, you guys were very 
quick to turn something around and I'm very grateful for that.
    So, I mean, I think in this hearing, this is exactly the 
steps that we need to take. In terms of--and this is the 
conversation. It would be wrong to say, oh, you know, Europe 
did this, let's hurry up and get our version. I think that's a 
mistake. I think that this committee is going through the 
necessary steps. It's taking the input from all the 
stakeholders and, you know, I think my particular feedback 
today is the two important components that we haven't included 
that's very important is the consumer education component as 
well as we need incentives for privacy-enhancing technologies 
and that's why a safe harbor that would allow a company to 
innovate a new technology, they wouldn't be punished for it, 
for example, because we know the first time you make a version 
of your product, it may not work, and so there's no kind of--we 
need a safe harbor for that permissive innovation.
    I think that your bill had a provision for that and I thank 
you for that. I think ultimately we'll win this through 
innovation, science and technology.
    Senator Klobuchar. Thank you very much, and the rest of the 
questions I will do on the record because I'm out of time, but, 
Ms. Zheng, I did have a question about data localization and 
the problems that creates and will just do that on the record, 
and then, Mr. Painter, I'm sure I'll have some cyber attack 
questions to ask you about.
    So thank you very much.
    Senator Wicker. Thank you, Senator Klobuchar.
    I have a letter, dated today, to Senator Schatz and me, 
from Pat Kane, Senior Vice President of Verisign, Incorporated, 
and I ask unanimous consent to place it in the record at this 
point. Without objection, that will be done.
    [The letter referred to follow:]

                                                      July 31, 2018
Hon. Roger Wicker,
Chairman,
Subcommittee on Communications, Technology, and the Internet,
Committee on Commerce, Science, and Transportation,
Washington, DC.
Hon. Brian Schatz,
Ranking Member,
Subcommittee on Communications, Technology, and the Internet,
Committee on Commerce, Science, and Transportation,
Washington, DC.

Dear Chairman Wicker and Ranking Member Schatz:

    Thank you for holding today' s hearing, which provides Committee 
members the opportunity to explore important issues regarding the 
global Internet and digital communications issues. Verisign is an 
important stakeholder in the global Internet ecosystem. Our company 
operates the critical infrastructure that helps keep the world's 
digital economy online. We perform critical and unique services that 
keep the Internet running. We publish the authoritative root zone file 
daily, we operate 2 of the world's 13 root servers, we operate the 
network infrastructure for the most important top-level domains, .com 
and .net, and we are trusted to provide the back-end operations to the 
United States government for the critical .gov TLD. We are proud that a 
few weeks ago we marked our 21-year anniversary for operating the .com 
and .net Domain Name System without any service interruption.
    With this background in mind, we are writing to offer Committee 
members our perspective--based on the company's 25-year history of 
providing critical infrastructure services for the global Internet 
community--on policy issues surrounding the domain name system (DNS), 
and in particular, issues related to the Cooperative Agreement between 
Verisign and the Department of Commerce. Arguments related to the 
Cooperative Agreement arise in the written testimony of Mr. James 
Bladel, GoDaddy's Vice President of Global Policy. That testimony does 
not, however, adequately describe the vibrant and competitive landscape 
in the DNS that has taken root after 25 years of U.S. Government policy 
that established competition in the DNS as an important objective at 
the dawn of the Internet era. We will help complete that record today.
    While GoDaddy asserts that Verisign's share of the ``legacy generic 
Top-Level Domains (gTLDs) is over 80 percent,'' this presents an 
unrealistic and incomplete snapshot of the global DNS. Indeed, since 
2012, roughly 20 million domains have been registered in other TLDs, 
including new gTLDs (like .attorney and .bank) and ccTLDs (like .uk and 
.de), all of which compete for registrations in this industry. In fact, 
.com and .net make up only about 44 percent of the total world wide 
registrations, a number that has been shrinking since the introduction 
of new gTLDs by ICANN in 2012. Verisign is limited by regulation that 
requires it to sell domain names only to accredited retailers at a 
fixed price of $7.85. Verisign is also prohibited by regulation from 
selling directly to consumers. These retailers, of which GoDaddy is by 
far the dominant market power, sell to consumers and, because they are 
unregulated, they sell domain names for any price they choose. 
Furthermore, GoDaddy sets market prices both in the U.S. and abroad 
unfettered by government or ICANN regulation.
    Second, Mr. Bladel discusses the negative impact of .com pricing on 
small business who are ``very sensitive to price increases'' and that 
``any increase has the potential to suppress their ability to grow. . . 
.'' Mr. Bladel however, does not disclose that GoDaddy sets the price 
for domain names and that for many names, it charges prices that are 
many thousands of times the wholesale price of $7.85. GoDaddy sets 
these prices and charges consumers, including its small business 
customers, the prices it believes the market will bear.\1\ In fact, 
recently, GoDaddy has become one of the biggest players in the 
secondary market--having bought hundreds of thousands of these domain 
names so that it can sell them to consumers at prices far in excess of 
their wholesale price of $7.85. Some estimate that the secondary market 
exceeds $1.6 billion per year. Indeed, GoDaddy has a platform that it 
uses and allows other to use to sell these domain names in addition to 
the many hundreds of thousands of names it has already purchased. For 
example, offered on GoDaddy's website today:
---------------------------------------------------------------------------
    \1\ The benefits from the regulatory price caps on .com that 
GoDaddy and others do not want changed have not been uniformly passed 
on to consumers.

   ``Olemiss.com'' offered at $9,499 (Ole Miss is a registered 
---------------------------------------------------------------------------
        trademark of the University of Mississippi)

   ``BestUsedCars.com'' offered at $27,900

   ``Yoursenator.com'' offered at $9,999

   ``MariaCantwell.com'' offered at $9,888

   ``SenatorMarcoRubio.com'' offered at $5,000

   ``SenatorLee.com'' offered at $5,000

   ``SenatorCruz.com'' offered at $5,000

   ``Blackburn.com'' offered at $127,400

    Third, Mr. Bladel recommends that the .com Registry Agreement 
between ICANN and Verisign be ``put out for competitive bid.'' Again, 
Mr. Bladel's testimony fails to disclose a critical fact and that is 
that every single registry agreement with I CANN, not just .com but 
over a thousand of other such agreements, contain a presumptive right 
of renewal that requires I CANN to renew the agreement unless the 
registry operator does not perform its obligations under the agreement. 
As Mr. Bladel admits, there are ``no complaints'' with our performance 
under this agreement and therefore, there is simply no basis to raise 
this issue.
    Finally, the Committee should recognize that Mr. Bladel's testimony 
with respect to the Cooperative Agreement, could be seen as that of a 
distributor who seeks to constrain the wholesale price \2\ of its best-
selling product in the name of consumers without acknowledging its own 
substantial commercial interest in doing so, or its own practice of 
reselling domain names at exorbitant prices. And while completely 
ignoring the critical infrastructure services Verisign provides not 
just to GoDaddy and its customers, but to Internet users world-wide, 
who, for 21 straight years have had uninterrupted availability of our 
networks in order to reach their online destinations.
---------------------------------------------------------------------------
    \2\ Consumers can avoid any price increase in any lCANN top-level 
domain by purchasing a ten=year registration as permitted under all 
ICANN registry agreements.
---------------------------------------------------------------------------
    Verisign thanks the Committee for the opportunity to provide this 
perspective given our experience as a leading critical infrastructure 
provider for global Internet services.
            Sincerely,
                                                  Pat Kane,
                                              Senior Vice President
                                                         VeriSign, Inc.

    Senator Wicker. We are told that another distinguished 
Member of the Committee may be on his way.
    Senator Schatz, I think this has been a very excellent 
hearing. Perhaps we can filibuster for another moment or two. 
There are dozens of questions we could ask.
    You know, Dr. Layton, are you speaking for AEI or on your 
own behalf?
    Dr. Layton. No. Thank you for giving me that opportunity to 
clarify. As my submitted testimony shows that I do not 
represent the positions of AEI or any other entity. I'm 
speaking purely in my own capacity. I also am a visiting 
researcher at Aalborg University in Copenhagen, Denmark. We 
have a center that works on privacy and security research. So 
my work is--I'm not speaking for that center but it is informed 
by the research that we do there.
    Senator Wicker. And, Ms. Zheng, you are speaking today on 
behalf of Business Roundtable, are you not?
    Ms. Zheng. That's correct, sir.
    Senator Wicker. Yes. You know, I noticed that AEI published 
an article just a few days ago with regard to the $5 billion EU 
fine against Google and it stated that EU's record $5 billion 
fine for antitrust violations involving its Android operating 
system is protectionism masquerading as consumerism.
    It strikes me that AEI's got a point there, Dr. Layton.
    Dr. Layton. Well, AEI doesn't make any official positions. 
We have many--we have over 200 scholars. We all have different 
views. We have major debates within our organizations. 
Sometimes we have more anger against each other than people 
outside the AEI. So we actually take very disparate positions 
because we believe in the competition of ideas.
    Senator Wicker. Very good. Would anyone else like to 
comment on that? Mr. Bladel.
    Mr. Bladel. Senator, thank you, yes. I think that from our 
perspective, it just shows what we're up against in terms of 
the EU's willingness to impose fines on U.S. tech firms, 
whether that's coming from this particular incidence, which is 
involving mobile operating systems, or whether that's coming 
from something like GDPR. It's one of the reasons why we're 
proceeding very cautiously in our compliance efforts with 
regard to those European regulations.
    Senator Wicker. It seems that all is not well between our 
Government and the EU.
    The hearing record will remain open for two weeks. During 
this time, Senators will be asked to submit any questions for 
the record. Upon receipt, the witnesses are requested to submit 
their written answers to the Committee as soon as possible.
    Thank you all and this hearing is now adjourned.
    [Whereupon, at 11:55 a.m., the hearing was adjourned.]

                            A P P E N D I X

   Prepared Statement of Hon. Bill Nelson, U.S. Senator from Florida
    Each day, around the world, billions of dollars in digital commerce 
is conducted online. And that economic value does not take into account 
the enormous social and political contributions the free and open 
Internet has made--and continues to make--around the world.
    The internet's vast success is intertwined with its fundamentally 
global nature. Thanks to the work and cooperation of many around the 
world, the Internet of today truly is borderless. A small business in 
Florida can create a website and instantaneously sell products and 
services all over the globe. A photographer along the Space Coast can 
post images of the latest commercial space launch and inspire 
schoolchildren in faraway lands. A researcher at a Florida college or 
university literally has at her fingertips the collected knowledge of 
all of history--whether that knowledge resides in Europe, Africa or 
Asia. And any of the millions of citizens of my home state can stay in 
touch with friends and relations around the world through social media, 
e-mail, and many other internet-based platforms.
    But we cannot take for granted that the Internet of today will be 
the Internet of tomorrow.
    First, nefarious actors continue to exploit the global Internet to 
harm democracy, human rights and trade. Each day it seems we uncover 
new information about election meddling and disinformation campaigns by 
state and non-state actors targeting the heart of our democracy. Cyber-
attacks are becoming a daily occurrence--many of which are launched by 
our foreign adversaries. We know for a fact that these cyber-attacks 
have penetrated critical parts of our infrastructure and economy--
including major defense contractors, international corporations, and 
our power grid.
    Second, many countries around the world are adopting policies that 
threaten to fragment the global internet. Of course, each nation bears 
a solemn responsibility to protect its citizens from harm--including 
the unique harms to privacy and security that come from the internet. 
But when those restrictions are used for digital protectionism or to 
harm international competition, they start to unravel the global 
internet.
    Our country must continue to defend the free and open internet, 
which depends on the ongoing successful multistakeholder approach to 
international Internet governance. But to defend today's Internet from 
fragmentation, it requires diplomacy and international engagement on 
these issues at the highest level. Yet we stand at a time when the 
budget of the State Department has been slashed, when our cyber-
diplomatic core has been decimated, and when our Nation's relationships 
with our traditional allies (allies that in the past have supported our 
approach to international Internet governance) are increasingly 
strained.
    We must redouble our efforts to defend a free and open Internet 
throughout the world. We cannot stand for gatekeeper control to the 
internet--even more so when a nation is trying to undermine the value 
of the Internet as a platform for digital commerce and information 
exchange. I am glad our witnesses are here today to reaffirm the need 
for the U.S. to be at the table in international fora on Internet 
governance and to engage in productive bilateral and multilateral 
conversations on the future of the Internet with our international 
partners. Failing that, I fear that the transformative and equalizing 
benefits of the Internet we have seen in the last two decades could be 
undone.
                                 ______
                                 
                                             CreativeFuture
                                                      July 17, 2018

Hon. Chuck Grassley, Chairman,
Hon. Dianne Feinstein, Ranking Member,
Senate Committee on the Judiciary,
Washington, DC.

Hon. John Thune, Chairman,
Hon. Bill Nelson, Ranking Member,
Senate Committee on Commerce, Science, and Transportation,
Washington DC.

Dear Chairmen and Ranking Members:

    We, the undersigned, are creatives who make our living in the 
entertainment industries. Whether we work in film, television, 
publishing, music, or photography, we and our colleagues have all been 
affected by the rampant, illicit activity that occurs on the major 
Internet platforms, including Google and Facebook.
    There has been growing concern in Washington, in the press, and 
among Americans about the lack of responsibility exercised by the major 
Internet platforms toward harmful and illegal activity taking place on 
their services.
    For decades, online gatekeepers like Facebook and Google have 
turned a blind eye to the proliferation of widespread societal harms on 
their platforms. From sex trafficking to foreign influence over our 
elections, from privacy to piracy, it has become increasingly clear 
that more needs to be done to ensure platform responsibility.
    In recent hearings in both the House and the Senate, Facebook's 
CEO, Mark Zuckerberg, characterized Silicon Valley's failure to take an 
appropriately broad view of its responsibility as a ``big mistake.'' 
But whether the lack of responsibility was a ``mistake'' or something 
else, the failure of Facebook, Google, and others to take 
responsibility is rooted in decades-old government policies, including 
legal immunities and safe harbors, that treat these companies 
differently than other industries and actually absolve internet 
platforms of responsibility.
    This must change. As long as these companies are allowed to 
continue to operate in a policy framework that prioritizes their growth 
and wealth over accountability, American creativity will be harmed 
along with many other important societal interests.
    Google needs to join Mr. Zuckerberg in stepping forward and 
embracing a broader view of its responsibility. But the real problem is 
not any one company. The problem is endemic in a system that applies a 
different set of rules to the Internet because it's ``exceptional,'' 
and utterly fails to impose ordinary norms of accountability on 
Internet businesses that are built around monetizing the content of 
others.
    We want to sincerely thank you and your colleagues for asking 
Facebook to testify--and Google should be next up to the microphone. We 
understand that Google has been invited to appear. This problem will 
continue to affect millions of Americans, both in their day-to-day 
lives and in their pocketbooks, until action is taken to correct it. 
It's long past time to hold Google, Facebook, and other Internet 
platforms responsible for their actions and inactions that hurt 
consumers, creativity, and the American economy.
            Sincerely,

Pamela Abdy
Makeready
Executive Producer: Kill the Messenger
Producer: Garden State, Identity Thief

Gina Amoroso
Co-Producer: Revolutionary Road

Dave Andron
Executive Producer: Justified, Snowfall

Eli Attie
Co-Executive Producer: House, M.D.
Producer: The West Wing

John Baldecchi
Digial Riot Media
Executive Producer: Happy Death Day
Producer: Conan the Barbarian, Point Break

George Bamber
Director: Hit the Floor
Assistant Director: S.W.A.T.

Chris Baumgarten
Producer: All I See is You, The Forgiven, Shattered Glass
Co-Producer: Hook

Peter Baxter
President and Co-Founder, Slamdance Film Festival

Susan Becker
Costume Designer: Father of the Bride, Flatliners, True Romance

Harold Becker
Director: Malice, The Onion Field, Sea of Love

Larry Becsey
Partner, Intellectual Property Group

Steve Beeks
NEXT Entertainment

Betsy Beers
Executive Producer: For the People, Grey's Anatomy, How to Get Away 
with Murder, Station 19

Alec Berg
Executive Producer: Barry, Silicon Valley

Albert Berger
Bona Fide Productions
Producer: Election, Little Miss Sunshine, Nebraska

Claire Best
Claire Best & Associates

Tony Bill
Director: Flyboys
Executive Producer: Going in Style
Producer: The Sting

Jason Blum
Blumhouse

Bill Borden
Executive Producer: High School Musical, Kung Fu Hustle
Producer: El Mariachi, End of Days, La Bamba

Marty Bowen
Temple Hill Entertainment
Producer: First Man; The Fault in Our Stars; Love, Simon; The Maze 
Runner Trilogy; Uncle Drew

Chris Brancato
Co-Creator: Narcos

Mark Burg
Producer: Saw, Saw II, Saw III, Saw IV, Saw V, Saw VI, Saw VII
Executive Producer: Anger Management, Two and a Half Men

Allison Burnett
Writer, Director, Producer, Executive Producer: Ask Me Anything
Writer: Autumn in New York

Eric Cady
Senior Counsel, Independent Film & Television Alliance

Alessandro Camon
Executive Producer: Wall Street: Money Never Sleeps
Writer: The Messenger

Benedict Carver
Eclipse Pictures, Inc.
Executive Producer: Eye in the Sky, Map to the Stars, Winchester

Jon Cassar
Executive Producer: 24, Forsaken
Director: 24, Forsaken, Fringe, Medici: The Magnificent, The Orville, 
Revolution

Cotty Chubb
Producer: The Dinner, Eve's Bayou, Pootie Tang

Dylan Clark
Dylan Clark Productions
Producer: Planet of the Apes Trilogy

Jane Clark
Film McQueen
Producer: Elena Undone
Director, Editor, Producer, Writer: Crazy Bitches, Meth Head

Tena Clark
CEO, DMI Music
Author: Southern Discomfort

Susan Cleary
Vice President & General Counsel, Independent Film & Television 
Alliance

Christopher Cleveland
Writer: Glory Road; McFarland, USA

Bruce Cohen
Producer: American Beauty, Milk, Silver Linings Playbook

Charlie Corwin
Founder, Corwin Media
Executive Producer: Dual Survival, Half Nelson
Producer: The Squid and the Whale

Julie Costanzo
Co-Producer: Miss Representation
Producer: Adventure Divas, The Virgin Suicides

Cindy Cowan
Executive Producer: Red Lights, Savior
Producer: Very Bad Things

Pierce Cravens
Metropolitan Entertainment
Theatre Producer: Oh, Hello
Producer: Concrete Kids, This Isn't Funny

Kirk D'Amico
President, Myriad Pictures
Producer: The Last Word
Executive Producer: Kinsey, Margin Call, Van Wilder

Martha De Laurentiis
Producer: Hannibal, Red Dragon, U-571

Donald De Line
Producer: I Love You, Man; The Italian Job; Ready Player One

Chip Diggins
Producer: Nancy Drew and the Hidden Staircase, A Walk in the Woods

Joshua Donen
Producer: Gone Girl, The Quick and the Dead
Executive Producer: House of Cards, Mindhunter, Spartacus

Dennis Dugan
Director: Big Daddy, Grown Ups, I Now Pronounce you Chuck & Larry, You 
Don't Mess with the Zohan

Cassian Elwes
Producer: Dallas Buyers Club, Mudbound
Executive Producer: Lee Daniels' The Butler, Margin Call

Clay Epstein
President, Film Mode Entertainment

Blye Faust
Rocklin | Faust
Producer: Spotlight

Adam Fields
Producer: Brokedown Palace, Donnie Darko, The Wedding Ringer

Wendy Finerman
Producer: The Devil Wears Prada, Drumline, Forrest Gump, P.S. I Love 
You

Cesar Fishman
Senior Vice President of Communications, CreativeFuture

John Flock
Executive Producer: The Good Shepherd
Producer: Bullet, Fortress

Christopher Floyd
Chief Operating Officer, Amblin Partners

Gary Foster
Producer: Daredevil, Ghost Rider, Sleepless in Seattle

Lucas Foster
Producer: Jumper, Man on Fire, Mr. and Mrs. Smith

Anne Marie Fox
Still Photographer: Dallas Buyers Club, Lee Daniels' The Butler, Sharp 
Objects, The Zookeeper's Wife

Kevin Goetz
Founder and CEO, Screen Engine/ASI

Neil Goetz
Executive Creative Director, The Engine Room
Co-Director of Development and Acquisitions, BBMG Entertainment

Norman Golightly
Executive Producer: Ghost Rider, The Sorcerer's Apprentice
Producer: Lord of War

Keith Gordon
Sidetracked Productions Inc.
Director: Better Call Saul, Fargo, Homeland, The Leftovers, Legion, A 
Midnight Clear, Mother Night, Waking the Dead

Mark Gordon
Entertainment One
Executive Producer: Quantico, Grey's Anatomy, Designated Survivor, 
Criminal Minds, Ray Donovan
Producer: The Nutcracker and the Four Realms, Murder on the Orient 
Express, Saving Private Ryan, Speed

Michael Gracey
Director: The Greatest Showman

Don Granger
Skydance Media
Executive Producer: Geostorm
Producer: Jack Reacher, Jack Reacher: Never Go Back, Mission 
Impossible: Rogue Nation

Bonnie Greenberg
Co-Producer/Music Supervisor: The Hunting Ground
Executive Music Producer: RBG
Music Supervisor: How The Grinch Stole Christmas, My Best Friend's 
Wedding

Jeffrey Greenstein
Co-President, Millennium Media, Inc.

James V. Hart
Writer: August Rush, Bram Stoker's Dracula, Contact, Hook
Founder, HartChart

Lisa Henson
CEO, The Jim Henson Company

Patricia Herskovic
Producer: Deadly Blessing, Mother's Boys, Toy Soldiers
Author: Escape to Life

Marshall Herskovitz
The Bedford Fall Company
Producer/Writer: The Last Samurai
Producer: Blood Diamond, Legends of the Fall
Executive Producer: Thirtysomething, My So-Called Life

David Hoberman
Mandeville Films
Producer: Beauty and the Beast, The Fighter, The Muppets, The Proposal, 
Wonder

Matthias Hoene
Director: Cockneys vs Zombies, Enter the Warriors Gate

Gale Anne Hurd
Valhalla Entertainment
Executive Producer: Fear The Walking Dead, Lore, The Walking Dead
Producer: Aliens, The Terminator, Terminator 2: Judgment Day, 
Terminator 3: Rise of the Machines

Allison Jackson
Founder and CEO, The Allison Jackson Company

Jon Jashni
Raintree Ventures
Executive Producer: Lost in Space
Producer: Godzilla, Kong: Skull Island, Pacific Rim, Warcraft

Dan Jinks
Producer: American Beauty, Big Fish, Milk

Ryan Kavanaugh
Producer: Mirror Mirror
Executive Producer: The Fast and the Furious: Tokyo Drift, Little 
Fockers, Talladega Nights: The Ballad of Ricky Bobby

Brad Kembel
Executive Vice President, Distribution & Operations, Global Road 
Entertainment, LLC

Tim Kittleson
Director, UCLA Film & Television Archive (ret.)

Jason Kliot
Open City Films
Producer: Coffee & Cigarettes, Enron: The Smartest Guys in the Room, 
Redacted
Executive Producer: Bubble, Capernaum, Lovely & Amazing

Hawk Koch
Former President, Academy of Motion Picture Arts and Sciences
Executive Producer: Heaven Can Wait, Primal Fear, Source Code, Wayne's 
World

Tony Krantz
Flame Ventures
Executive Producer: 24
Producer: Mulholland Drive

Adam Krentzman
Executive Producer: The Domestics, Elephant Tales, Oh My God

John Krokidas
Director: American Crime, Kill Your Darlings

Michelle LeClair
Author, Speaker, CCO, LeClair Beauty
Author: Perfectly Clear

Mark Leibowitz
President, Leibowitz Pictures

Adam Leipzig
Producer: Plastic Ocean
Co-Producer: Titus

Peter Lenkov
Executive Producer: Hawaii Five-0, MacGyver, Magnum P.I., Salvation

Harry Lennix
Actor: The Blacklist, Man of Steel, The Matrix Reloaded, Matrix 
Revolutions

Avi Lerner
Chairman and CEO, Millennium Media, Inc.

Todd Lieberman
Mandeville Films
Producer: Beauty and the Beast, The Fighter, The Proposal, Wonder

Michael London
Groundswell Productions
Executive Producer: Confirmation, Milk
Producer: Sideways

Laurence Mark
Producer: Jerry Maguire; I, Robot; Dreamgirls; Julie & Julia; The 
Greatest Showman

Ron Maxwell
Writer/Director: Copperhead, Gettysburg, Gods & Generals

Craig Mazin
Writer: The Hangover Part II, Identity Thief

Mary Mazzio
50 Eggs Films
Director/Producer: I Am Jane Doe, Apple Pie, The Apple Pushers, A Hero 
for Daisy, TEN9EIGHT, Underwater Dreams

Nat McCormick
Executive Vice President of Sales & Distribution, The Exchange

Michael Menchel
Producer: One Chance, Only the Brave
Executive Producer: Ain't Them Bodies Saints

Tory Metzger
Executive Producer: Arrival
Producer: The Forest

Gev Miron
Co-Founder and Creative Director, MVH CreativeWorks

Bobby Moses
Mavrick Artists Agency

Eric Newman
Screen Arcade
Executive Producer: Narcos
Producer: Bright, Children of Men

Rick Nicita
RPMedia Producer, Former Co-Chairman of Creative Artists Agency

Jerry Offsay
Executive Vice President, Hamburger Hill
Executive Producer: As Seen Through These Eyes, Eight Men Out, Six 
Dance Lessons in Six Weeks

MJ Peckos
President, Dada Films
Executive Producer: Burning Secret, Paper House

Maggie Phillips
Music Supervisor: The Handmaid's Tale, Moonlight

Pamela Pickering
Berlin International Film Festival Delegate, Former Chairman of IFTA

Lou Pitt
CEO, The Pitt Group and Alton Road Productions
Producer: The Exception, Hollywood Homicide

David Poland
President, Outside Voice

Gavin Polone
Pariah
Executive Producer: Curb Your Enthusiasm
Producer: Zombieland

Dawn Prestwich
Executive Producer: Carnivale, Flashforward, The Killing, The Riches, 
Z: The Beginning of Everything

Jean Prewitt
CEO, Independent Film & Television Alliance

John Ptak
Owner, Arsenal Films
Executive Producer: Let Me In, The Way Back

Samantha Ramirez-Herrera
Founder, Offtharecord Inc.

Linda Reisman
Producer: Leave No Trace
Executive Producer: The Danish Girl

JB Roberts
Partner, Thruline Entertainment

Doug Robinson
Executive Producer: Breaking In, The Goldbergs, Rules of Engagement

Lise Romanoff
Managing Director/CEO, Vision Films, Inc.

Karen Rosenfelt
Producer: Max, Me Before You, The Twilight Saga: Breaking Dawn--Part 1, 
The Twilight Saga: Breaking Dawn--Part 2, The Twilight Saga: Eclipse, 
The Twilight Saga: New Moon
Executive Producer: Twilight

Howard Rosenman
Producer: Call Me By Your Name, The Family Man, Father of the Bride

Danny Rosett
Executive Producer: Capote

Eric Roth
Executive Vice President of Business Affairs, New Regency Productions

Aaron Ryder
Co-President of Production & Acquisitions, FilmNation Entertainment
Producer: Arrival, Transcendence

Nina Sadowsky
Author: The Burial Society, Just Fall
Executive Producer: The Wedding Planner

Robin Sax, JD & MSW
Law Offices of Robin Sax

Teddy Schwarzman
Producer: The Imitation Game, Mudbound

Lloyd Segan
Partner, Piller/Segan

Keri Selig
President and Founder, Intuition Productions
Executive Producer: The Kennedys After Camelot, The Secret Life of 
Marilyn Monroe, The Stepford Wives

Jeff Sharp
Producer: Boys Don't Cry, The Yellow Birds You Can Count on Me

Stacey Sher
Producer: Django Unchained, Erin Brockovich, The Hateful Eight, Into 
the Badlands, World Trade Center

Jon Shestack
Producer: Air Force One, Before I Fall, Dan in Real Life

Meyer Shwarzstein
CEO, Brainstorm Media

Sigurjon (Joni) Sighvatsson
Palomar Pictures
Producer: Killer Elite, The Weight of Water
Executive Producer: Arlington Road, Wind River

Paul Alan Smith
Founder, Equitable Stewardship for Artists

Ellen Steloff
Executive Director and Founder, Rabbit Hole Screenings
Executive Producer: Dream A Little Dream, Far From Home, A Gnome Named 
Norm, The Underachievers

Michael Sucsy
Director: Every Day, Grey Gardens, The Vow

Michael Sugar
Sugar23
Producer: Spotlight
Executive Producer: The Knick, The OA

Kurt Sutter
Executive Producer: Sons of Anarchy, Mayans M.C., The Shield
Executive Producer and Writer: Southpaw

Andrew Tennenbaum
Producer: Water for Elephants
Co-Producer: The Bourne Identity, The Bourne Legacy, The Bourne 
Supremacy, The Bourne Ultimatum, Jason Bourne

John Toll, ASC
Director of Photography: Almost Famous, Braveheart, Cloud Atlas, The 
Last Samurai, Legends of the Fall, The Rainmaker, The Thin Red Line, 
Vanilla Sky

Bob Tourtellotte
Film McQueen
Executive Producer: Crazy Bitches, Meth Head

Jeff Vespa
Vespa Pictures

Hunter Via
Editor: The Chi, Snowfall, The Walking Dead

Michele Vice-Maslin
Sweetersongs & Mob Force Productions
Songwriter: Blue Bloods, Downsizing, Guiding Light

Joana Vicente
Executive Director, Independent Filmmaker Project (IFP)

Ruth Vitale
CEO, CreativeFuture
Executive Producer: American Crime, Don Juan DeMarco, Gummo

Nick Wechsler
Nick Wechsler Productions
Producer: Magic Mike, The Road

Robert B. Weide
Director/Executive Producer: Curb Your Enthusiasm, Mr. Sloane
Producer/Writer: Mother Night
Writer: The Giver

Chris Weitz
Writer: Cinderella, Rogue One: A Star Wars Story
Director: A Better Life, The Twilight Saga: New Moon

Ron West
Partner, Thruline Entertainment

Brett Williams
Senior Vice President of Public Affairs, CreativeFuture

Frank Wuliger
Partner, The Gersh Agency

Janet Yang
Executive Producer: The Joy Luck Club
Producer: The People vs. Larry Flynt

Ron Yerxa
Bona Fide Productions
Producer: Election, Little Miss Sunshine, Nebraska

Graham Yost
Executive Producer: Justified
Writer: Speed

Jonathan Yunger
Co-President, Millennium Media, Inc.
                                 ______
                                 
   Response to Written Question Submitted by Hon. Roger F. Wicker to 
                         Hon. Michael Chertoff
    Question. What is your experience with the WHOIS database from a 
cybersecurity perspective and can you comment on its importance in this 
regard?
    Answer. An unexpected side-effect of Europe's adoption of the 
General Data Protection Regulation (GDPR) was the decision of the 
Internet Corporation for Assigned Names and Numbers (ICANN) to redact 
some registration information from its WHOIS database. ICANN is the 
non-profit organization that manages the global domain name system, 
which acts as a sort of address book or telephone book for the 
internet, directing users to specific servers based on the domain name 
information that they enter into their browser. This allows end users 
to type in the domain www.whitehouse.gov rather than having to memorize 
the specific server address associated with the White House's public 
website, which could be a series of up to 32 alpha-numeric characters. 
ICANN's WHOIS database allows for the pubic, and security researchers, 
to look up key information about individual domains, including who 
registered or controls them.
    ICANN has interpreted GDPR as requiring the redaction of several 
fields of data traditionally included in WHOIS data, including the name 
of the person who registered the domain, their phone number, physical 
address, and e-mail address. While this information is not always 
publicly available through WHOIS (and can be of dubious quality) as a 
result of varying practices from various domain name providers, this 
data can be very useful to researchers, criminal investigators, and 
other parties seeking to investigate potential cybercrimes or malicious 
activity associated with a specific domain (which may, for example, be 
used to mimic a major retailer in order to steal user credentials or 
serve as a command and control server for malicious software). As a 
result of this change, ICANN has proposed creating an ``accreditation'' 
system to restore access to this information to law enforcement and 
researchers. It has yet to fully develop such a system and has 
indicated that it would be ready until at least December 2018. It would 
then likely take several months for domain providers to adopt the new 
system.
    As a result, for at least the next few months, researchers and law 
enforcement will be unable to utilize a tool that has historically been 
useful in shutting down cyber criminal enterprises and in the conduct 
of cyber criminal investigations. I would encourage ICANN to move 
quickly to remedy the problem and restore access to this information to 
both law enforcement and researchers in order to help them combat cyber 
criminal activity.
                                 ______
                                 
Response to Written Questions Submitted by Hon. Catherine Cortez Masto 
                        to Hon. Michael Chertoff
    Question 1. There are nearly a quarter of a million small 
businesses in Nevada. They're working to try to navigate the 
increasingly complex cyber world and I hear a lot from them about 
cybersecurity and other Internet issues.
    Can you talk about GDPR, as well as other international 
regulations, and how we can ensure that small businesses have the tools 
to navigate these as well as rules that are being put in place at the 
state level?
    Answer. Certainly, such regulations can be difficult for small 
businesses to deal with. Often companies lack the in-house resources 
and expertise to develop a strong understanding of their requirements 
and the steps that may be needed to implement required changes. This is 
particularly true if a small business does all of its own in-house data 
management and processing. However, many small businesses rely upon 
third-party vendors for data management and processing, meaning that 
their compliance is effectively handled by that vendor. Many cloud 
vendors, for example, have marketed their products to smaller 
businesses by highlighting their in-built GDPR compliance, such as data 
management and security capabilities that meet EU standards. It is also 
worth noting that many small businesses in the U.S. are unlikely to be 
impacted by international regulations as their customers are located 
exclusively in the United States.
    State-level regulations in the U.S. are likely to have a much 
larger impact on small businesses, just as varying state sales tax 
regimes do. The one advantage of GDPR is that it has created a single 
standard and compliance regime for all 28 EU member countries, and 
arguably for the slightly larger number of European countries in the 
European Economic Area (EEA). The prospect of fifty different state-
level data security and privacy regulations is far more daunting and 
potentially impactful for U.S. small businesses, which are far more 
likely to conduct business across state lines than they are across 
international borders. While many are likely to rely upon their third-
party vendors to aid them in their compliance with such requirements, 
the possibility of fifty different regulatory regimes and the magnitude 
of potential business impact makes the scale of the issue much greater 
for small businesses. As I indicated in my earlier testimony, I would 
encourage policy makers to work toward a single, national regime with 
robust data security and privacy protections rather than allowing a 
patchwork of state-level requirements to develop.

    Question 2. Countries and increasingly imposing data localization 
requirements, which require companies that collect personal data to 
store it on servers within the geographic boundaries of the country, as 
a requirement for companies to do business there.
    Are there logistically feasible ways for American entities to 
process data internationally with the data localization polices that 
were discussed at the hearing?
    Answer. It may be feasible for certain companies to comply with 
such requirements in certain instances. For example, Microsoft has 
built a data center in Germany with a local partner to comply with some 
initial data-localization requirements. This is unlikely to have a 
major impact on their business given the size of the German market and 
the likelihood that the company would need in any event to build at 
least one, if not several, data centers in the country to offer its 
cloud services to customers in that country while maintaining a high 
level of service. That said, a smaller provider may not have the volume 
of business in Germany to justify constructing a dedicated data center 
in that country, potentially making it infeasible for them to operate 
there. This could pose a significant barrier to entry for new market 
entrants.
    These calculations also change if you consider a smaller country, 
such as Luxembourg, or a series of smaller countries geographically 
proximate to one another. For example, the Baltic countries (Estonia, 
Latvia, and Lithuania) taken together may be a large enough market to 
justify a company such as Google or Amazon building a data center to 
serve all three countries, perhaps constructing the data center in 
Estonia. However, if each country were to have its own data 
localization requirements a provider would be expected to build a data 
center not just in Estonia, but in Latvia and Lithuania as well. Such a 
change could make it economically infeasible for the provider to offer 
its services in all three countries.

    Question 3. How does this impact academia or the private sector?
    Answer. These requirements generally do not distinguish between 
sectors and, as such, they would impact both the academic and private 
sectors. In the academic world, such requirements could make 
collaborative research extremely difficult, if not impossible, limiting 
the ability for researchers to transfer data between collaborators in 
different countries or process research data from country A in country 
B. For the private sector, such requirements could effectively prevent 
foreign companies from operating in a country with these requirements 
as they could prove so costly as to be a barrier to entry.

    Question 4. With the various data localization laws taking effect, 
can you discuss whether those typically explicitly forbid data transfer 
over national borders or would they allow a country, Germany for 
example, to host data on German made servers in a neighboring country?
    Answer. The most stringent of these requirements effectively 
prohibit the transfer of data belonging or relating to a citizen of the 
country to an entity or location outside of that country's physical 
borders. I am unaware of any existing or proposed requirements that 
would allow for the transfer of affected data outside the country 
provided that the transfer was to servers manufactured within the 
country. Instead the EU, and some countries outside the EU, have only 
allowed for data to be transferred beyond their jurisdiction when the 
company conducting the transfer and the country to which the data is 
being transferred agree to store and process the data in a manner that 
complies with their own domestic requirements. For example, the US-EU 
Privacy Shield Agreement, and the preceding Safe Harbor agreement, 
require U.S. companies and the U.S. Government to ensure that all 
European data transferred to the U.S. is handled in a manner consistent 
with EU data protection requirements.

    Question 5. Additionally, if a U.S. company, for example, was 
expected to store data on a data center in a country like China, would 
it be mandated to use Chinese materials or technology in the 
construction of the data center? Please answer generally with respect 
to the multitude of data localization laws.
    Answer. It certainly is possible that a country could have such a 
requirement, but practically speaking, few countries have a domestic 
industry capable of supporting such a requirement. China, specifically, 
is where a large volume of technology components used in cloud 
computing are manufactured, so it would be relatively easy for Chinese 
authorities to mandate the use of servers or other components 
manufactured in country. Frankly, supply-chain risks associated with 
the widespread use of technology components manufactured in China is a 
serious concern across the U.S. technology and national security 
sectors and merits a much broader and in-depth discussion.

    Question 6. The EU-U.S. Privacy Shield is a program that allows 
companies to transfer personal data to the United States from the 
European Union (EU) in a way that is consistent with EU law. However, 
the European Parliament passed a non-binding resolution in July 
claiming the United States was not complying with European law and 
called on the European Commission to suspend Privacy Shield by 
September 1 ``unless the U.S. is fully compliant.''
    What would the impact to U.S. businesses be if the EU Commission 
suspends Privacy Shield?
    Answer. The suspension of the Privacy Shield agreement would likely 
have an impact similar to that seen when the European Court of Justice 
(ECJ) effectively suspended Privacy Shield's predecessor, Safe Harbor, 
through its ruling in the Schrems case. That is, it would create 
significant uncertainty for U.S. providers operating in Europe and 
leave them in a legal limbo as they sought to comply with EU data 
protection requirements via alternative means, such as binding 
corporate rules or standard model clauses.
    For the largest U.S. technology providers, the impact would likely 
be limited as these companies, Google, Microsoft, and Amazon, for 
example, already have these alternative means of compliance in place. 
However, the impact on smaller providers would be much greater. Binding 
corporate rules can be difficult to implement and standard model 
clauses can present legal issues to some companies. Smaller companies 
are also unlikely to have the in-house expertise needed to achieve 
compliance through these alternative means, increasing their costs and 
potentially disrupting their operations.
    It seems likely that the European Commission will seek some sort of 
renegotiation of Privacy Shield with the U.S. to ensure it properly 
reflects GDPR's requirement. Max Schrems, the plaintiff in the earlier 
court case that led the ECJ to effectively invalidate Safe Harbor, has 
already filed a challenge to Privacy Shield claiming it does not 
adequately protect European's privacy rights under GDPR. The case will 
ultimately need to make its way through European courts and back to the 
ECJ, meaning that there will be some level of uncertainty surrounding 
Privacy Shield's future for at least several years.
                                 ______
                                 
     Response to Written Questions Submitted by Hon. Jon Tester to 
                         Hon. Michael Chertoff
    Question 1. Many members of the panel mentioned the United States 
needs to step up our level of engagement and join other like-minded 
countries. In your opinion, which countries closest align with our 
values on Internet freedom, privacy, and Internet of Things?
    Answer. Our traditional allies are the countries who are most like-
minded on these issues. The United Kingdom, Canada, Australia, and New 
Zealand (the so-called ``Five Eyes'') are the most closely aligned with 
the U.S. on these issues. The countries of the EU are also similarly 
minded but have differing views on what constitutes privacy and how to 
balance those rights with others, such as free speech. As such, we are 
unlikely to find easy agreement on issues such as ``the right to be 
forgotten.'' Other traditional allies, such as Japan, South Korea, and 
Taiwan, also share broadly similar views.

    Question 2. What forum (e.g., the United Nations, NATO, etc.) do 
you recommend for facilitating an international discussion on rules and 
definitions?
    Answer. Unfortunately, there isn't an ideal forum for such a 
discussion currently. NATO and other security alliances made up of 
like-minded countries are focused on more traditional security needs 
and are ill-suited for this type of a discussion and effort. Broader-
based organizations, such the UN, include a much wider variety of 
countries, many of whom do not share our values or views on data 
privacy and security, and as such would oppose our efforts. I believe 
that bi-lateral or multi-lateral efforts outside of these 
organizations, or the creation of a new organization, to be the likely 
path forward on these issues. A number of nongovernmental 
organizations, including the Global Commission on the Stability in 
Cyberspace, on which I serve, continue to examine and work on these 
issues and could be the basis for broader discussion between interested 
countries on these issues.

    Question 3. Before the United States can lead the charge 
international, we must unify our own ``rules of the road.'' Does such a 
forum currently exist, to your knowledge? How has private industry in 
the U.S. tried to tackle how we define the rules of the road when it 
comes to Internet security and governance? Which U.S. governmental 
agency would you recommend take the lead and represent the United 
States in international discussions?
    Answer. I do not believe that we have such a consensus in the 
United States on these issues at this time. Conversations on these 
issues have taken place in a variety of forums, including the Aspen 
Security Conference and RSA. To date, private industry has generally 
avoided making specific proposals on these issues, though several have 
begun to move in this direction having recognized the need for action. 
Microsoft's Brad Smith, for example, has proposed a ``Digital Geneva 
Convention'' to help establish these types of rules. The varying 
business models and interests of major U.S. technology companies makes 
it difficult for U.S. technology companies to reach their own consensus 
on these issues. I believe that Congressional action and Executive 
leadership will be needed in order to establish such rules. Perhaps 
Congress could establish a Commission to study and make comprehensive 
recommendations.
    In terms of international discussions, I certainly see the U.S. 
State Department as the agency that will need to take the lead, with 
support in such discussions coming from the Departments of Commerce, 
Homeland Security, and Defense as well as the intelligence community.
                                 ______
                                 
   Response to Written Question Submitted by Hon. Roger F. Wicker to 
                              James Bladel
    Question. Mr. Bladel, the EU's General Data Protection Regulation 
was intended to apply only to EU citizens (natural persons). What is 
GoDaddy doing to preserve open and free access to as much of the WHOIS 
record as possible by differentiating between those individuals covered 
by the EU's GDPR and those who are not?
    Answer. When the European Union's General Data Protection 
Regulation (GDPR) took effect on 25 May 2018, GoDaddy redacted the 
published WHOIS data for all impacted customers according to ICANN's 
Temporary Specification (https://www.icann.org/resources/pages/gtld-
registration-data-specs-en).
    This redaction only applied to those records that we determined, to 
the best of our knowledge, represented natural persons who were covered 
by GDPR, or equivalent privacy laws. We did not redact records that 
clearly represented organizations, or with mailing addresses outside of 
these regions.
    GoDaddy estimates that we have redacted less than 20 percent of 
WHOIS records in order to comply with GDPR.
                                 ______
                                 
Response to Written Questions Submitted by Hon. Catherine Cortez Masto 
                            to James Bladel
    Question 1. Countries and increasingly imposing data localization 
requirements, which require companies that collect personal data to 
store it on servers within the geographic boundaries of the country, as 
a requirement for companies to do business there.
    Are there logistically feasible ways for American entities to 
process data internationally with the data localization policies that 
were discussed at the hearing?
    Answer. While it is technically possible to create localized 
instances for data processing, this approach creates significant 
operational costs and complexities that could prohibit us from serving 
certain markets. Additionally, localization requirements disrupt our 
ability to provide a uniform experience to our customers across our 
product offering.

    Question 2. How does this impact academia or the private sector?
    Answer. I'm not able to characterize the impact on academia, and 
believe that our response to Question 1 would be applicable for most 
private sector companies. Generally, the aggregate effect of these laws 
is to favor local providers (or affiliates) over American firms.

    Question 3. With the various data localization laws taking effect, 
can you discuss whether those typically explicitly forbid data transfer 
over national borders or would they allow a country, Germany for 
example, to host data on German made servers in a neighboring country?
    Answer. Some countries (e.g., China) have strict requirements that 
all data is processed and retained locally. Other countries allow for 
international data sharing under certain conditions. For example, under 
GDPR Germany would allow user data to ccbe transferred within the 
European Union, or to countries recognized to have an equivalent data 
protection framework. Currently, transfers from the EU to the U.S. are 
allowed under the Privacy Shield agreement.

    Question 4. Additionally, if a U.S. company, for example, was 
expected to store data on a data center in a country like China, would 
it be mandated to use Chinese materials or technology in the 
construction of the data center? Please answer generally with respect 
to the multitude of data localization laws.
    Answer. I am not aware of localization laws that require us to use 
domestic equipment or technology. And while laws vary across countries, 
we have encountered localization requirements (actual or proposed) that 
would obligate us to:

   Establish a local presence or entity

   Use a local bank or law firm

   Obtain a license or permit from the local government (with 
        various obligations)

   Provide local authorities with regular reports or privileged 
        access to data or records

    Question 5. The EU--US Privacy Shield is a program that allows 
companies to transfer personal data to the United States from the 
European Union (EU) in a way that is consistent with EU law. However, 
the European Parliament passed a non-binding resolution in July 
claiming the United States was not complying with European law and 
called on the European Commission to suspend Privacy Shield by 
September 1 ``unless the U.S. is fully compliant.''
    What would the impact to U.S. businesses be if the EU Commission 
suspends Privacy Shield?
    Answer. The loss of Privacy Shield would significantly disrupt our 
ability to process the data of our customers in the EU, and reliably 
deliver the products they have purchased from us. We note that the 
September 1 deadline has passed, but the EU has not taken any steps to 
suspend Privacy Shield. But because of the potential impact to our 
business, we are closely monitoring these developments.
                                 ______
                                 
     Response to Written Questions Submitted by Hon. Jon Tester to 
                              James Bladel
    Question 1. Many members of the panel mentioned the United States 
needs to step up our level of engagement and join other like-minded 
countries. In your opinion, which countries closest align with our 
values on Internet freedom, privacy, and Internet of Things?
    Answer. In terms of free expression and encouraging innovation and 
free online markets, I consider our historical allies in Internet 
Governance to be most closely aligned with the values of the US. This 
includes: Europe/UK, Canada, Australia, New Zealand, and to some 
extent: Japan, South Korea, and Mexico.

   With regard to online privacy, my opinion is that the EU is 
        leading this issue globally, other countries are following 
        suit, and the U.S. is increasingly being viewed as an outlier.

   I don't have an informed opinion on the governance landscape 
        as it pertains to the Internet of Things (IoT).

    Question 2. What forum (e.g., the United Nations, NATO, etc.) do 
you recommend for facilitating an international discussion on rules and 
definitions?
    Answer. In the private sector, we favor multi-stakeholder 
organizations (like ICANN) as an international forum for establishing 
rules and policies.
    We do not find the United Nations, especially the ITU, as a helpful 
forum for these topics. An exception would be the Internet Governance 
Forum (IGF), which is sponsored by the UN.

    Question 3. Before the United States can lead the charge 
international, we must unify our own ``rules of the road.'' Does such a 
forum currently exist, to your knowledge? How has private industry in 
the U.S. tried to tackle how we define the rules of the road when it 
comes to Internet security and governance? Which U.S. governmental 
agency would you recommend take the lead and represent the United 
States in international discussions?
    Answer. Many of the rules and policies that govern our industry are 
developed within ICANN, but issues like privacy, competition, and 
cybersecurity are outside of ICANN's remit. For this reason, I'm 
inclined to believe that a forum for these issues does not currently 
exist.
    The private sector has largely self-organized to address online 
problems, and has had some success via numerous coalitions, alliances, 
etc. These groups allow large firms to gather and share ideas, data, 
best practices, and then disseminate these throughout the industry.
    The U.S. interests are best represented by the Department of 
Commerce (NTIA), and in some fora by the State Department.
    Cybersecurity and online organized crime issues are more 
appropriately addressed by law enforcement (FBI/DOJ) and/or Defense.
                                 ______
                                 
   Response to Written Question Submitted by Hon. Roger F. Wicker to 
                          Roslyn Layton, Ph.D.
    Question. Dr. Layton, it seems that the stated intention and scope 
of the recent EU General Data Protection Regulation (GDPR) is far 
different from the impacts of its implementation. Can you comment on 
how the GDPR has been implemented as it relates to access to WHOIS 
data, which is critical to the security and safety of the open Internet 
itself?
    Answer. The July 31st hearing established that the stated intention 
and scope of the GDPR is far different from its implementation. To 
begin, Americans have different conceptions of privacy and data 
protection compared to Europeans. Moreover, the process to make the 
respective regimes, move in the opposite directions. Americans may have 
a starting point of privacy, a deductive process from which data 
protection policy and regulation flows. The Europeans on the other 
hand, are inductive. They build a series of data protection 
regulations, and that resulting corpus is what is referred to as 
privacy. The GDPR itself only mentions ``privacy'' in three instances, 
and it is more correctly understood as a model of data governance, 
rather than privacy.
    Moreover, the GDPR has many unintended consequences, one of which 
is the undermining of the transparency of the WHOIS query and response 
protocol as it needed by law enforcement, cybersecurity professionals 
and researchers, and trademark and intellectual property rights 
holders.\1\ The problem is best described as the conflict between the 
right to be informed and the right to be forgotten.\2\ It can also be 
understood within the context of the problem of ``privacy overreach,'' 
\3\ in which the drive to protect privacy becomes absolute, lacks 
balance with other rights, and unwittingly brings worse outcomes for 
privacy and data protection.\4\ The situation harkens back to a key 
fallacy of so-called privacy activists who attempted to block the 
rollout of caller ID because it violated the privacy rights of 
intrusive callers. Today we agree that the receivers right to know who 
is calling is prioritized over the caller.\5\ Similarly we can 
understand that the needs of public safety will supersede data 
protection, particularly in situations of danger to human life. 
Moreover, we should at least expect intellectual property to be in 
balance with data protection, not in the conflict we find it today with 
the GDPR.
---------------------------------------------------------------------------
    \1\ Shane Tews. ''How European data protection law is upending the 
Domain Name System.'' American Enterprise Institute. February 26, 2018. 
https://www.aei.org/publication/how-european-data-protection-law-is-
upending-the-domain-name-system/
    \2\ Shane Tews, ``Privacy and Europe's data protection law: 
Problems and implications for the US''. AEI.org May 8, 2018. http://
www.aei.org/publication/privacy-and-europes-data-protection-law-
problems-and-implications-for-the-us/
    \3\ See Justin ``Gus'' Hurwitz and Jamil N. Jaffer, ``Modern 
Privacy Advocacy: An Approach at War with Privacy Itself?, Regulatory 
Transparency Project of the Federalist Society,'' June 12, 2018, 
https://regproject.org/paper/modern-privacy-advocacy-approach-war-
privacy/.
    \4\ See Maja Brkan, The Unstoppable Expansion of the EU Fundamental 
Right to Data Protection, Maastricht Journal of European and 
Comparative Law 23, no. 5 (2016): 23, http://journals.sagepub.com/doi/
abs/10.1177/1023263X1602300505?journalCode=maaa.
    \5\ Supra Hurwtiz
---------------------------------------------------------------------------
    While the goal of the GDPR may have been data protection, an 
overbroad application by registrars and registry operators is 
threatening to jeopardize the safety of Internet users and the security 
of the Internet generally, both within the EU and beyond its borders. 
From its launch, WHOIS was designed to enable people to identify whom 
they are dealing with on the other side of a website. This not only 
promotes the trust necessary to facilitate online commerce, but is also 
critical for public safety, consumer protection, law enforcement, 
dispute resolution, and enforcement of rights.
    The Internet Corporation for Assigned Names and Numbers, however, 
announced a Temporary Specification recently that allows registries and 
registrars to obscure WHOIS information they were previously required 
to make public, ostensibly in order to comply with the GDPR.\6\ This 
will hinder efforts to combat unlawful activity online, including 
identity theft, cyber-attacks, online-espionage, theft of intellectual 
property, fraud, unlawful sale of drugs, human trafficking, and other 
criminal behavior, and is not even required by the GDPR, as the U.S. 
Departments of Commerce and Homeland Security, the National 
Telecommunications and Information Administration, and ICANN's own 
Governmental Advisory Committee of more than 170 member countries and 
economies have all observed.\7\
---------------------------------------------------------------------------
    \6\ ICANN, Temporary Specification for gTLD Registration Data 
(adopted May 17, 2018), https://www.icann.org/resources/pages/gtld-
registration-data-specs-en.
    \7\ See U.S. Dept. of Commerce and U.S. Dept. of Homeland Security, 
A Report to the President on Enhancing the Resilience of the Internet 
and Communications Ecosystem Against Botnets and Other Automated, 
Distributed Threats 23, 24 (May 2018), https://www.commerce.gov/sites/
commerce.gov/files/media/files/2018/eo_13800_botnet_report_-
_finalv2.pdf; Remarks of David J. Redl, Assistant Secretary of Commerce 
for Communications and Information, ICANN 61 (March 12, 2018), https://
www.ntia.doc.gov/speechtestimony/2018/remarks-assistant-secretary-redl-
icann-61; ICANN, Governmental Advisory Committee, Communique--San Juan, 
Puerto Rico (March 15, 2018), https://gac.icann.org/advice/communiques/
20180315_icann61%20gac%20communique_finall.pdf.
---------------------------------------------------------------------------
    Notably the GDPR does not apply at all to non-personal information 
and states that disclosure of even personal information can be 
warranted for matters such as consumer protection, public safety, law 
enforcement, enforcement of rights, cybersecurity, and combating fraud. 
Moreover, the GDPR does not apply to domain names registered to U.S. 
registrants by American registrars and registries. Nor does it apply to 
domain name registrants that are companies, businesses, or other legal 
entities, rather than ``natural persons.''
    To protect American citizens, Congress therefore might consider 
urging--both through its own diplomatic channels and in its work with 
the White House and Federal agencies--that European policymakers 
clarify that the GDPR does not prevent access to WHOIS data for law 
enforcement, consumer protection, and rights enforcement. Congress 
might also indicate to domain name registries and registrars that it 
expects them to continue making WHOIS data publicly available to both 
law enforcement and private entities for purposes of protecting U.S. 
consumers and rightsholders. Federal legislation requiring such 
disclosure also should be considered to ensure that the European 
directive does not inappropriately interfere with U.S. prerogatives to 
set U.S. policy and protect its citizens.
    Congress should take note of some key actors driving the GDPR whio 
are now in key political positions in the EU. Notably the coming 
conflict between the GDPR and WHOIS was described highlighted in a 2017 
academic article by law and computer science researchers at the 
University of Vienna.\8\ Austria has been ground zero for GDPR 
activism. The current head of the EU Data Protection Supervisor (EDPS), 
Andrea Jelinek, was formerly the chief of the Austrian Data Protection 
Authority which worked closely with Austrian privacy activist Max 
Schrems. Schrems founded the Vienna-based non-profit None of Your 
Business (NOYB) to professionalize GDPR litigation and has lodged GDPR 
complaints against Google and Facebook, requesting some $8.8 billion in 
damages on the day the GDPR came into effect.\9\ Jelinek has 
incorporated NOYB parlance into EDPS activities and policy 
arguments.\10\ In her role in the Article 29 Working Party, the group 
that drove the promulgation of the GDPR, Ms. Jelinek noted that the 
elimination and masking of WHOIS information is justified under the 
nebulous, overbroad, and invented conceptions of the GDPR.\11\ It is 
understandable that is group of GDPR supporters are willing to torpedo 
internationally accepted norms and conventions in order to legitimize 
the GDPR.
---------------------------------------------------------------------------
    \8\ Erich Schweighofer, Vinzenz Heussler, and Walter Hotzendorfer. 
``Implementation Issues and Obstacles from a Legal Perspective.'' 
Collaborative Cyber Threat Intelligence: Detecting and Responding to 
Advanced Cyber Attacks at the National Level. Editor Florian Skopnik. 
Taylor & Francis, 2017. https://www.taylorfrancis.com/books/e/
9781315397894
    \9\ https://noyb.eu/wp-content/uploads/2018/05/
pa_forcedconsent_en.pdf
    \10\ See the discussion of ``forced consent'', a term defined by 
NOYB which has been co-opted by the EDPS.
    \11\ https://www.icann.org/en/system/files/correspondence/jelinek-
to-marby-11apr18-en.pdf
---------------------------------------------------------------------------
    My testimony underscores that the GDPR violates many U.S. laws and 
norms and is likely illegal under international law and should be 
challenged by U.S. policymakers.
                                 ______
                                 
      Response to Written Question Submitted by Hon. Roy Blunt to 
                          Roslyn Layton, Ph.D.
    Question. As you know, liability protections for online platforms 
were instituted, in part, so that they could filter harmful and illicit 
content without the threat of civil litigation. In recent years, 
however, digital piracy and other illegal digital transactions have 
been on the rise, and most of the activities to counter it have been 
retrospective. In your testimony, you state that technology and 
business models are improving in a way that could better detect 
pirated, unlicensed content, yet tech companies do not appear to be 
effectively vetting and filtering content on a proactive basis--even 
that which is clearly illegal. In 2017, there were an estimated 22.9 
billion visits to streaming piracy sites worldwide across both desktops 
and mobile devices, a 39 percent increase over the comparable figure 
for 2016. Considering the rise of illegal traffic over online 
platforms:

   Do you believe that technology companies are doing enough to 
        curb the spread of illicit material online?

   Do you believe that the liability protections for technology 
        companies as currently enacted are accomplishing their intended 
        goal?

    Answer. The presumption some 20 years ago behind section 230 of the 
Communications Act and Section 512 of the Copyright Act was that with 
liability protections, online platforms would take proactive steps to 
combat illegal activity over their services. Moreover, those 
protections were only meant to accrue to entities that were not 
profiting from illegal activity. Unfortunately, many platforms are 
primarily taking steps after-the-fact (if at all), once harm as already 
occurred, rather than proactively curbing abuse of their systems. 
Moreover, because many platforms' business models are rooted in 
advertising or the commercialization of data related to Internet users' 
online behavior, some platforms generate revenue from illicit online 
behavior. Clearly this was not the intent of the liability shields, and 
many online platforms can and should be doing more.
                                 ______
                                 
Response to Written Questions Submitted by Hon. Catherine Cortez Masto 
                        to Roslyn Layton, Ph.D.
    Question 1. Countries and increasingly imposing data localization 
requirements, which require companies that collect personal data to 
store it on servers within the geographic boundaries of the country, as 
a requirement for companies to do business there.
    Are there logistically feasible ways for American entities to 
process data internationally with the data localization polices that 
were discussed at the hearing?
    Answer. Not every U.S. company is similarly situated. While some 
firms may be able to afford the data localization requirements, this 
does not mean that the requirements improve the quality or efficiency 
of business. While countries claim to benefit by data localization 
(e.g., local economic development), these efforts are at best prestige 
projects designed to make a symbolic show of local participation in the 
Internet economy. At worst, many of these requirements are merely 
fronts for increased surveillance by the foreign government and even 
theft of intellectual property. Make no mistake: the goal of this 
policy is to exert increasing control of the digital economic model 
over the data stored and transferred in the center. There are benefits 
especially in totalitarian states to apply this policy that will be 
offset against cost of social policing or economic measures (e.g., 
direct taxation based on data localization). Remember that the Internet 
and access to information is directly linked to better economic 
opportunities, education, and political options, so it is very 
sensitive for some governments.
    Please note that the free flow of information is the #1 declaration 
of the Organization for Economic Cooperation and Development's digital 
policy recommendations.\1\ Please see the many helpful discussions on 
this topic submitted to NTIA comments on International Internet 
Priorities.\2\
---------------------------------------------------------------------------
    \1\ http://www.oecd.org/sti/ieconomy/Digital-Economy-Ministerial-
Declaration-2016.pdf
    \2\ https://www.ntia.doc.gov/federal-register-notice/2018/comments-
international-internet-policy-priorities
---------------------------------------------------------------------------
    To shed further light on this topic, I attach documents prepared by 
the Chamber of Commerce, which to my knowledge, offers the most 
comprehensive review of the topic and is a credible and authentic voice 
for American enterprise.\3\ Please note that I have no financial 
relationship with the Chamber nor does my attachment of these materials 
constitute an endorsement of any policy.
---------------------------------------------------------------------------
    \3\ Forced Localization: Myths and Facts; Submission to ITC April 
2018; Letter to Indonesian government; Letter to Indian government May 
2018. See the collected reports for Brazil, EU, Indonesia, Japan, South 
Korea, Nigeria, Turkey, Vietnam under the webpage ``Globally Connected, 
Locally Delivered: The Economic Impact of Cross-Border ICT Services.'' 
https://www.uschamber.com/report/globally-connected-locally-delivered-
the-economic-impact-cross-border-ict-services.
---------------------------------------------------------------------------
    While U.S. policymakers should reject forced data localization, it 
is important to understand the motivations for why countries pursue 
such measures and what overall changes and adjustments that U.S. 
policymakers implement to preclude data localization in future. There 
is a sense in many, but not all, countries that American services, 
applications, content, and devices dominate the digital economy and 
that local competitors cannot get a foothold. Data localization can be 
a symbolic response to address what is locally seen as an economic and 
digital imbalance and an attempt to compensate for lost local revenue 
and taxation.
    While the construction of data centers contribute little to local 
digital economies, they do have a marginal impact in employment in 
traditional sectors (e.g., construction, sanitation, etc) and some 
ongoing services for food, transportation etc. However, the centers are 
design to be self-sufficient in terms of energy or emergency services 
such as fire services hence the companies setting them up are 
increasingly to be rewarded for installing those data centers 
offsetting the initial and temporal creation of non-technical jobs with 
the long-term life of the center and environmental costs. Notably local 
governments may leverage their relationships with Silicon Valley 
companies for such arrangements.
    This problem has also been exacerbated by so-called net neutrality 
legislation (some 50 countries) which generally preclude the ability to 
local Internet service providers to participate in efficient two-sided 
market arrangements with companies such as Google and Netflix, reducing 
the ability to invest in broadband infrastructure. Moreover, the lost 
transit revenue and other imbalances reduces the total revenue in the 
local economy which can be taxed and thus remunerated to the local 
country government.
    From the point of view of firms such as Google and Netflix, it is 
rational that they desire to minimize their costs. However, the policy 
creates a loss of consumer welfare in that the cost of transit is 
passed on to all consumers, which increases the price of broadband 
across the board, falling hardest of people of lower income. The policy 
also prohibits the participation of third-party advertisers and firms 
to subsidize the cost of broadband, firms which incidentally are 
frequently American. This is extremely damaging for the truly poor who 
cannot afford Internet access.\4\ While years of net neutrality have 
helped cement the market power of Google and Netflix, they policy has 
not helped foreign countries create local content and services as was 
promised.\5\ It should not be surprising then that countries wish to 
compensate for the imbalance, however in a sub-optimal and ineffective 
way, whether by antitrust, taxation or forced localization. Had U.S. 
Internet firms pursued transparent and efficient two-sided market 
arrangements from the start, it is possible that the current situation 
of forced localization would be significantly less.
---------------------------------------------------------------------------
    \4\ https://www.forbes.com/sites/roslynlayton/2018/07/13/why-does-
california-want-to-adopt-indias-failed-internet-regulation/
#77feeaf3541a
    \5\ http://www.aei.org/publication/does-net-neutrality-spur-
internet-innovation/
---------------------------------------------------------------------------
    There are other ways countries could achieve consumer and 
innovation protections without resorting to heavy-handed, 
anticompetitive policies. Indeed, the evidence shows that countries 
which have pursued ``soft'' methods for net neutrality such as multi-
stakeholder models and codes of conduct have had more successful to 
produce their own Internet innovation. These countries include Japan, 
South Korea, Switzerland, and the Nordic countries prior to 2015.\6\
---------------------------------------------------------------------------
    \6\ http://www.aei.org/publication/beyond-net-neutrality-policies-
for-leadership-in-the-information-computing-and-network-industries/
---------------------------------------------------------------------------
    There is an additional perspective from the experience from gaming 
platforms. These platforms provide the same service to different users 
based on their location. In countries were gambling or the trading of 
virtual currencies is regulated, the gaming users cannot access those 
services. Countries can use this argument to require localization, 
particularly for government to gain easy access for regulated 
industries (e.g., Indonesia and Turkey).
    Some countries employ policy arguments in favor of forced 
localization based upon distrust from the U.S. following the Edward 
Snowden revelations. They see the U.S. as having a double-standard in 
which the U.S. Government and firms have access to user data but want 
to preclude other countries from doing the same. Naturally there are 
good why the U.S. Government and firms would protect user data from 
other countries, but nevertheless there is a ``feeling'' that the U.S. 
is hypocritical. More broadly this speaks to need to rebuild trust with 
other countries, which according to Pew has been on the decline with 
some countries for years.
    It is possible that some technical substitutes for forced data 
localization could evolve in future, notably blockchain with its 
ledger.\7\
---------------------------------------------------------------------------
    \7\ https://www.amazon.com/dp/B072NYKG2G/ref=dp-kindle-
redirect?_encoding=UTF8&
btkr=1

    Question 2. How does this impact academia or the private sector?
    Answer. These requirements impose a cost which falls harder on 
academic, non-profit, and smaller enterprises because they tend to have 
smaller IT budgets and have limited IT staff to implement such 
requirements. For these reasons, smaller institutions are more 
vulnerable to retribution by foreign governments, particularly if 
foreign governments perceive these institutions engaging in politically 
sensitive or competitive activity (e.g., a university may have valuable 
intellectual property and data localization could be an illicit means 
to access that IP; religious organizations are growing in popularity in 
China, and data localization can be a means to increase surveillance of 
fundraising practices etc.\8\).
---------------------------------------------------------------------------
    \8\ https://www.theatlantic.com/international/archive/2017/04/
china-unregistered-churches-driving-religious-revolution/521544/

    Question 3. With the various data localization laws taking effect, 
can you discuss whether those typically explicitly forbid data transfer 
over national borders or would they allow a country, Germany for 
example, to host data on German made servers in a neighboring country?
    Answer. It appears that there are a variety of conflicting trends 
with some countries forbidding transfer while other countries allowing 
hosting with preferred national vendors. We can even see conflicting 
policies within the same country. It is costly and inefficient to have 
such contradictory approaches. For a comprehensive review of the 
requirements, please see the documentation by the U.S. Chamber of 
Commerce.\9\ See also the helpful report by ITIF.\10\
---------------------------------------------------------------------------
    \9\ https://www.ntia.doc.gov/files/ntia/publications/
180717_comments_uscc_ntia_international
internetpolicypriorities.pdf
    \10\ https://itif.org/publications/2017/05/01/cross-border-data-
flows-where-are-barriers-and-what-do-they-cost

    Question 4. Additionally, if a U.S. company, for example, was 
expected to store data on a data center in a country like China, would 
it be mandated to use Chinese materials or technology in the 
construction of the data center? Please answer generally with respect 
to the multitude of data localization laws.
    Answer. Please see the study the American Chamber of Commerce in 
China.\11\ Indeed China may take a majority stake in the data center 
ownership and operation so as to preclude any firm's complaint about 
the cost of forced data localization.
---------------------------------------------------------------------------
    \11\ https://www.amchamchina.org/policy-advocacy/policy-spotlight/
data-localization

    Question 5. The EU-U.S. Privacy Shield is a program that allows 
companies to transfer personal data to the United States from the 
European Union (EU) in a way that is consistent with EU law. However, 
the European Parliament passed a non-binding resolution in July 
claiming the United States was not complying with European law and 
called on the European Commission to suspend Privacy Shield by 
September 1 ``unless the U.S. is fully compliant.''
    What would the impact to U.S. businesses be if the EU Commission 
suspends Privacy Shield?
    Answer. The short answer is that a suspension of the agreement 
would be very disruptive for business. Moreover, it would signal a 
political breakdown in that the EU does not wish to be reasonable or to 
engage in good faith negotiation.
    It is important to note that no regulator or enterprise, whether 
American or European, expressed that the 15-year-old Safe Harbor 
agreement from 2000 was inadequate. However, the Safe Harbor agreement 
was invalidated by a of lawsuit brought by activist Max Schrems in the 
European Court of Justice in 2015.\12\
---------------------------------------------------------------------------
    \12\ https://www.wsj.com/articles/europes-protectionist-privacy-
advocates-1457566423
---------------------------------------------------------------------------
    At its height, the Safe Harbor facilitated $250 billion annually in 
data transfer, including the salaries of millions of European workers 
employed by American companies. The Obama Administration, Department of 
Commerce, and other U.S. officials quickly and valiantly salvaged the 
agreement into the new Privacy Shield framework. The European 
Commission certified that the agreement was satisfactory and adequate 
in its first annual report of the new framework,\13\ but now, certain 
political factions (notably Max Schrems and the European Green Party) 
want to take the Privacy Shield hostage in a self-serving, geopolitical 
effort. They want to nitpick about the U.S. not having appointed an 
official ``ombudsman'' for the Privacy Shield and claim that this 
closes off ability for Europeans to seek redress of violation. However, 
Europeans already have multiple means to pursue redress in the USA 
(courts, FTC, Dept of Commerce etc.), even more than Americans have 
should they wish to pursue redress in the EU. Moreover, the current 
acting U.S. Under Secretary of State for Economic Growth, Energy, and 
the Environment has been performing the de facto role of the ombudsman 
even though it does not have the same title. The position was earlier 
held by Catherine Novelli.
---------------------------------------------------------------------------
    \13\ https://ec.europa.eu/transparency/regdoc/rep/1/2017/EN/COM-
2017-611-F1-EN-MAIN-PART-1.PDF
---------------------------------------------------------------------------
    By way of background, the European Green Party has succeeded in 
their key political goal to decommission the nuclear power industry in 
Germany. Now they need to a new ``enemy'' and have thus defined it as 
Silicon Valley. The Green Party lost seats in the last EU Parliamentary 
election (2014). As a result, they ratcheted up the rhetoric against 
Silicon Valley, including the drive to promulgate the General Data 
Protection Regulation (GDPR). Note that the GDPR is an effort driven 
more by geopolitics than consumer protection.\14\
---------------------------------------------------------------------------
    \14\ http://www.aei.org/publication/privacy-regulation-insanity-
making-the-same-rules-and-expecting-a-different-outcome/
---------------------------------------------------------------------------
    Vera Jourova, the European Commissioner for Justice, Consumers and 
Gender Equality, has communicated to the U.S. on the Privacy Shield, 
but this likely reflects pressure she gets from Max Schrems and the 
Greens, rather than her authentic view. Jourova is part of the ANO 2011 
political party whose leader Andrej Babis became Prime Minister of the 
Czech Republic in December 2017. Babis is described as the ``Trump'' of 
the Czech Republic. The second richest person in the country, he tapped 
into the perceived conflict between the ``coffeehouse elite of Prague'' 
versus the country dwellers (similar to the dichotomy of U.S. coasts 
vs. ``flyover country''). While Jourova is trying to help create 
political wins for EU President Jean Claude Juncker, it is likely she 
is attuned to the populist and nationalist fervor that is sweeping the 
EU presently, in which many Europeans are skeptical of Brussels and 
increasingly want to disengage from the EU.
    Similarly situated is EU Commissioner for Competition Margrethe 
Vestager who also comes from a center-right party and is seen as heir-
apparent to EC President Jean Claude Juncker. For these politicians, 
the goal is to demonstrate that the European project still has value. 
In that way, the center right can create coalitions with left, anti-
corporate parties such as the Greens to channel nationalist fervor into 
fighting the invented enemy of American big tech, and thereby 
demonstrating the EU is still good for something.
                                 ______
                                 
Dear Minister Rudiantara, Chairman Wimboh and Governor Agus,

    We are writing you today as we understand that your ministries/
agencies are working with approximately 30 other government agencies to 
review Government Regulation 82 of 2012 (GR82). We commend these 
efforts and look forward to engaging with your government during the 
upcoming public consultation process on this regulation. We are also 
encouraged that the U.S.-Indonesia Trade and Investment Framework 
Agreement (TIFA) discussions held in Washington earlier this month 
identified the data localization requirement of GR82 as one of the 
priority issues in the bilateral commercial relationship. It is our 
hope that the issue can be resolved in a manner that is consistent with 
global norms and promotes investment and innovation.
    We believe that the requirement to locate data centers and disaster 
recovery centers in Indonesia, Article 17.2 of GR82, and repeated in 
POJK No. 69 of 2016, POJK No. 38 of 2016, MCIT No. 20 of 2016, MCIT 
Circular Letter No. 3/2016, Circular 17/52/DKSP, PBI 18/40/2016, PBI 
19/8/2017, and draft regulations on e-commerce and over-the-top 
services (OTT)--is not in Indonesia's best interests, and therefore we 
strongly advise that it be removed.
    Digital technologies are essential drivers of economic growth in 
Indonesia, and have the potential to contribute as much as $150 billion 
to the economy by 2025,\1\ if the Indonesian government creates a 
supportive and conducive regulatory environment. Requiring data centers 
and disaster recovery centers to be placed in Indonesia would interrupt 
data flows, thereby severely limiting Indonesia's economic development.
---------------------------------------------------------------------------
    \1\ http://www.mckinsey.com//media/McKinsey%20Offices/Indonesia/
PDFs/Unlocking-Indonesias-digital-opportunity.ashx
---------------------------------------------------------------------------
    Based on our discussions with various Indonesian stakeholders and 
further supported by research such as the recent report by the 
Information Technology and Innovation Foundation,\2\ we believe the 
cost of data localization outweighs any perceived benefits. For 
example, the data localization requirement would:
---------------------------------------------------------------------------
    \2\ https://itif.org/publications/2017/05/01/cross-border-data-
flows-where-are-barriers-and-what-do-they-cost

   Restrict Indonesian businesses' and consumers' access to 
        digital and e-commerce networks, causing fewer opportunities, 
        less choice, less service and significantly higher cost and 
        hampering efforts to develop Indonesia into Southeast Asia's 
---------------------------------------------------------------------------
        biggest digital economy by 2020.

   Increase cyber security risks by creating multiple entry 
        points in global platforms.

   Limit Indonesian businesses' and consumers' access to online 
        resources and innovative services.

   Undermine the competitiveness of leading Indonesian and 
        global businesses by imposing limits on the ability to utilize 
        big data.

   Raise costs significantly--for example, Brazil's proposed 
        data localization policies would have increased prices by 54 
        percent for cloud-computing services.\3\
---------------------------------------------------------------------------
    \3\ http://www.leviathansecurity.com/blog/quantifying-the-cost-of-
forced-localization

   Encourage others to retaliate leading to the fragmentation 
        of the Internet and greatly limiting Indonesian startups from 
---------------------------------------------------------------------------
        expanding regionally and globally.

   Lead to lost trade and investment opportunities and reduced 
        competitiveness. Studies clearly show that data localization 
        requirements are a deterrent to investment. A 2016 report by 
        Fifth Era shows that 67 percent of investors surveyed are 
        uncomfortable investing in Internet businesses that are legally 
        obligated to store user data on servers located in the same 
        country where users are located and/or build their own data 
        centers locally in each country of operations. This concern is 
        most prevalent in countries that have discussed data 
        localization, namely India (81 percent) and Indonesia (82 
        percent).\4\
---------------------------------------------------------------------------
    \4\ http://static1.squarespace.com/static/5481bc79e4b01c4bf3ceed80/
t/56f192c240261d47035
66506/1458672343753/201603+Fifth+Er+Report+-
+The+Impact+of+Internet+Regulation+on+
Investment.pdf

    According to the European Center for International Political 
Economy, if data localization requirements are implemented across all 
sectors of the economy, Indonesia will lose 0.7 percent of GDP, see a 
2.3 percent reduction in domestic investment, suffer a 1.7 percent 
decrease in exports, and experience consumer welfare losses of USD 3.7 
billion through higher prices and displaced domestic demand.\5\
---------------------------------------------------------------------------
    \5\ http://www.ecipe.org/app/uploads/2014/12/OCC32014_1.pdf
---------------------------------------------------------------------------
    Furthermore, data localization requirements and similar mandates 
are contrary to global norms, as seen in the APEC Leaders Statement 
adopting the APEC Cross Border Privacy Principles,\6\ the OECD 
Guidelines on the Protection of Privacy and Transborder Flows of 
Personal Data \7\ and the Trans-Pacific Partnership (TPP) Agreement.\8\
---------------------------------------------------------------------------
    \6\ http://www.apec.org/Meeting-Papers/Leaders-Declarations/2011/
2011_aelm
    \7\ http://www.oecd.org/sti/ieconomy/
oecdguidelinesontheprotectionofprivacyandtransborder
flowsofpersonaldata.htm 
    \8\ https://www.usasean.org/system/files/downloads/
joint_summary_of_tpp.pdf
---------------------------------------------------------------------------
    By removing these barriers and taking a more liberalized approach, 
Indonesia will facilitate increased job creation and economic growth. A 
recent study by the U.S. Chamber of Commerce demonstrates that a more 
open, competitive marketplace for data flows would create 1.74 million 
Indonesian jobs, USD 1.42 billion in government revenue, USD 6.48 
billion in new investments, and a USD 29.38 billion contribution to 
GDP.\9\
---------------------------------------------------------------------------
    \9\ https://www.uschamber.com/sites/default/files/
022925_ict_reportflyer_indonesia2.pdf
---------------------------------------------------------------------------
    We recognize the Indonesian government's interest in maintaining 
reliable access to company and financial data for legitimate 
regulatory, audit, and investigative purposes. The U.S. private sector 
is willing to continue to engage constructively in finding a solution 
that meets the government's needs as well as those of businesses and 
consumers. Furthermore, governments around the world are already 
developing data sharing systems that would allow regulators to access 
data held in other countries, like the International Association of 
Insurance Supervisors (IAIS)'s multilateral memorandum of understanding 
(MMoU). Sixty-one insurance supervisors, including those of Singapore, 
Malaysia, Hong Kong, Australia and India currently utilize this network 
to share information. Restrictions on cross-border data transfers could 
prevent regulators and auditors in other countries from accessing 
information about businesses operating in Indonesia, undermining 
regulatory cooperation and creating compliance challenges for 
multinational companies.
    Thank you for your attention and for considering this input. The 
U.S. private sector stands ready to serve as a resource in the 
continued discussions around GR82.
            Sincerely,
                                               Lin Neumann,
                                                 Managing Director,
                                                      AmCham Indonesia.

                                                Jeff Paine,
                                                 Managing Director,
                                               Asia Internet Coalition.

                                             Jared Ragland,
                                     Senior Director, Policy--APAC,
                                           BSA | The Software Alliance.

                                          Jonathan Kallmer,
                              Senior Vice President, Global Policy,
                               Information Technology Industry Council.

                                         Alexander Feldman,
                                                 President and CEO,
                                             US-ASEAN Business Council.

                                               Tami Overby,
                                       Senior Vice President, Asia,
                                              U.S. Chamber of Commerce.

cc: His Excellency Budi Bowoleksono, Ambassador of Indonesia to the 
United States
The Honorable Joseph R. Donovan, Jr., United States Ambassador to 
Indonesia
                                 ______
                                 
                   Data Localization Myths and Facts
MYTH: Requiring local data centers will create jobs.
FACT: Jobs are created by businesses that leverage a global network of 
        data centers, using the best available technology to increase 
        efficiency regardless of location. Data centers only create a 
        limited number of low paying, short-lived jobs.
    An open market place that allows data flows enables domestic 
industries to focus on the quality of their products and services, 
better positing them to compete in global markets rather than spending 
time and resources on how to move data across borders. Data centers can 
cost hundreds of millions of dollars to build and operate.
    The experience to date in both Europe and the United States 
indicates that while construction of data centers creates employment 
opportunities, they are relatively short-lived. For example, only 50 
people are needed to support a $1 billion mega-data center built by 
Apple in the small town of Maiden, North Carolina.\1\ Further, data 
centers are becoming increasingly automated, requiring less staff to 
help run them.
---------------------------------------------------------------------------
    \1\ https://www.washingtonpost.com/business/economy/cloud-centers-
bring-high-tech-flash-but-not-many-jobs-to-beaten-down-towns/2011/11/
08/gIQAccTQtN_print.html
---------------------------------------------------------------------------
MYTH: Data localization policies will boost economic growth.
FACT: In the long-run, forced localization policies will negatively 
        impact GDP and foreign investment.
    Visions of years of enormous property tax benefits are outweighed 
by the incentives that local governments are required to pay to lure 
companies to locate in their jurisdiction and by the need to subsidize 
the large amount of electricity required to run a data center.
    The European Centre for International Political Economy examined 
the overall impact of localization measures in seven countries--Brazil, 
China, the European Union, India, Indonesia, Korea, and Vietnam--and 
found negative impacts on GDP and foreign investment. They found that 
economy-wide data localization laws drain between 0.7 percent and 1.1 
percent of GDP from the economy and that any gains are too small to 
outweigh losses in terms of welfare and output in the general 
economy.\2\
---------------------------------------------------------------------------
    \2\ http://www.ecipe.org/app/uploads/2014/12/OCC32014 1.pdf
---------------------------------------------------------------------------
MYTH: Data localization will promote domestic industry.
FACT: Data localization requirements reduce competitiveness by walling 
        off domestic businesses from the billions of potential 
        customers outside of the home country's borders.
    The isolation created by data localization reduces investment and 
access to capital--the ability to assess a potential borrower's 
creditworthiness or to spot potentially fraudulent active often depends 
on the ability to move data across borders. Data localization polices 
require more redundancy, personnel, and costs that could be more 
efficiently utilized elsewhere.
MYTH: Data localization will lower costs for domestic business.
FACT: Requirements for local servers could hurt domestic industry by 
        compelling local businesses to sacrifice efficiency and seek 
        out more expensive, less reliable services.
    Localization requirements may limit the ability of firms to access 
logistics and supply chain infrastructure, conduct effective research, 
secure appropriate insurance, or readily participate in financial 
markets. Moreover, one source indicates that when a data center goes 
down, it can cost a company as much as $7,900 per minute. Regions with 
inconsistent electric grids frequently experience hours of downtime, 
resulting in substantial costs. Economic growth is better served by 
companies that are able to leverage the most efficient and reliable 
services from around the world.
    Local businesses would be required to pay 30-60 percent more for 
their computing needs if required to localize than if they could go 
outside the country's borders. Further, many countries considering data 
localization have no publicly available cloud computing providers, 
meaning they would be forced to use non-public cloud computing 
resources, or to purchase and maintain their own infrastructure which 
would require significant investment.\3\
---------------------------------------------------------------------------
    \3\ https://static1.squarespace.com/static/
556340ece4b0869396f21099/t/559dad76e4b0899d97
726a8b/1436396918881/Quantifying+the+Cost+of+Forced+Localization.pdf
---------------------------------------------------------------------------
MYTH: Data localization increases security.
FACT: Data security depends on a plethora of controls, not the physical 
        localization of a server. Keeping data in limited physical 
        locations harms the security of that data.
    Business often back up data outside the country in which it is 
collected to help ensure it remains secure in the event of a natural 
disaster, power outage or other such emergency that could take a data 
center offline. Business and consumers benefit when those who maintain 
data are able to use the best available security measures, regardless 
of the physical location of the data they seek to protect. Geographic 
neutrality with regard to data storage enables all companies, 
particularly small ones, to employ cost-effective information security 
solutions. Requiring data to be localized would actually increase the 
risk of cyber attacks as the amount of data held increase in limited 
locations.
MYTH: Storing data locally ensures individual privacy and protects data 
        from over-broad law enforcement access abroad.
FACT: Forcing data to be stored locally does not have any incremental 
        impact on privacy.
    The belief is that, if data are required to be kept within a 
country, governments will be better able to ensure individual privacy 
and prosecute those who violate privacy laws. In reality, the location 
of servers has absolutely no effect on privacy, as the local government 
would still have legal jurisdiction over companies who own the data, 
regardless of where their data are actually stored.\4\
---------------------------------------------------------------------------
    \4\ http://www2.itif.org/2013-localization-barriers-to-
trade.pdf?_ga=1.126836941.1580072294.14
83722057
---------------------------------------------------------------------------
    In general, firms have reported that data-localization requirements 
are expensive, time-consuming, and disruptive, and do not improve data 
privacy, which is often the officially stated purpose of this type of 
measure.\5\ Only, narrowly tailored and proportionate privacy 
requirements allow for better oversight and the protection of 
individual privacy.
---------------------------------------------------------------------------
    \5\ https://www.usitc.gov/publications/332/pub4485.pdf
---------------------------------------------------------------------------
MYTH: Data localization only impacts Internet companies.
FACT: Data localization impacts the operation of foreign and domestic 
        companies across all sectors.
    Over 90 percent of global companies are using ICT services, such as 
cloud computing, in at least part of their operations.\6\ The Internet 
opens up new markets and export opportunities for businesses of all 
size. Small and medium-sized enterprises that rely heavily on Internet 
services have 22 percent greater revenue growth than companies that do 
not.
---------------------------------------------------------------------------
    \6\ http://assets.rightscale.com/uploads/pdfs/RightScale-2015-
State-of-the-Cloud-Report.pdf.
---------------------------------------------------------------------------
    Data localization policies fragment the Internet. These 
requirements build artificial walls or checkpoints that stop data from 
flowing outside national boundaries, making it more difficult and 
expensive to operate beyond borders. This is especially the case for 
businesses that do not have the resources to deal with burdensome 
restrictions in every country in which they may have customers.
MYTH: Data localization centers are cost-effective and lower trade 
        deficits.
FACT: Typically the equipment necessary to for a data center needs to 
        be imported into a country, driving up the trade deficit. 
        Further, data center costs are on the rise due to the increased 
        power capacity necessary.
    Data centers require varying kinds of equipment in order to 
operate. The first is IT equipment, which includes servers, storage 
unites, and network equipment. This is expensive hardware that is 
usually specialized for the type of data it will store. This equipment 
typically has to be shipped into the country, and is not just a one-
time cost. In order to stay up-to-date, hardware has to be regularly 
modernized. For example, it is recommended that IT servers are renewed 
every three years in order to maintain performance and reliability.
    The second category of equipment is everything that will help the 
data center run, such as electrical systems, mechanical systems, 
cooling etc. While these goods are usually sourced locally, they 
come1at a high cost. Power costs alone of a data center run around 
100,000 USD per megawatt while network connectivity costs run about 
250,000 per mile of fiber optic cable connection.
MYTH: Data localization centers guarantee more innovative technologies.
FACT: Not all data centers give access to new and innovative products 
        and services. And once a center is built, adapting the center 
        to new technologies requires more equipment and cost. The most 
        effective way to encourage innovation is through allowing 
        companies to collect, move, and analyze data across borders.
    Not all data centers are the same. Many different types of data 
centers and service models exist depending on the data being stored. 
Depending on the function one data center may require customized 
equipment, higher bandwidth, and/or more security versus another data 
center. Therefore, simple requirements to store data locally may not 
ensure that the data centers created will focus on innovative 
solutions. Further, a data center has limited capacity. Once it is 
built it is not easy to change the amount of storage and workload 
handle without purchasing and installing more equipment.
    Innovation requires data to move so that companies can collect, 
transfer, and analyze data. Data centers create an unnecessary barrier 
to this movement that can make firms less competitive and innovative. 
Instead of putting more resources into improving and creating new 
products and services, companies are forced to spend more money on data 
storage and compliance activities. This impedes the ability to put more 
resources into day-to-day activities as well as innovation. Domestic 
companies and start-ups will also find it harder and more expensive to 
benefit from the competitive global market that allows the exchange of 
research, new technologies, and best practices that can improved 
products and services.
                                 ______
                                 
               Statement of the U.S. Chamber of Commerce
                                  ON:
   Investigation No. 332-562 Global Digital Trade 2: The Business-to-
       Business Market. Key Foreign Trade Restrictions, and U.S. 
                            Competitiveness;
   Investigation No. 332-563 Global Digital Trade 3: The Business-to-
            Consumer Market, Key Foreign Trade Restrictions
            TO: U.S. International Trade Commission (USITC)
                      BY: U.S. Chamber of Commerce
                          DATE: April 6, 2018
    The U.S. Chamber of Commerce is the world's largest business 
federation representing the interests of more than 3 million businesses 
of all sizes, sectors, and regions, as well as state and local chambers 
and industry associations. The Chamber is dedicated to promoting, 
protecting, and defending America's free enterprise system.
    More than 96 percent of Chamber member companies have fewer than 
100 employees, and many of the Nation's largest companies are also 
active members. We are therefore cognizant not only of the challenges 
facing smaller businesses, but also those facing the business community 
at large.
    Besides representing a cross section of the American business 
community with respect to the number of employees, major 
classifications of American business--e.g., manufacturing, retailing, 
services, construction, wholesalers, and finance--are represented. The 
Chamber has membership in all 50 states.
    The Chamber's international reach is substantial as well. We 
believe that global interdependence provides opportunities, not 
threats. In addition to the American Chambers of Commerce abroad, an 
increasing number of our members engage in the export and import of 
both goods and services and have ongoing investment activities. The 
Chamber favors strengthened international competitiveness and opposes 
artificial U.S. and foreign barriers to international business.
    Thank you for this opportunity for the U.S. Chamber of Commerce 
(the Chamber) to provide a submission to the U.S. International Trade 
Commission's (USITC) Inv. No. 332-562 Global Digital Trade 2: The 
Business-to-Business Market, Key Foreign Trade Restrictions, and U.S. 
Competitiveness and Inv. No. 332-563 Global Digital Trade 3: The 
Business-to-Consumer Market, Key Foreign Trade Restrictions, and U.S. 
Competitiveness.
    The United States has positioned itself as the leader of the global 
digital economy. American companies innovate faster and generally out-
compete foreign firms. The benefits of the digital economy are not 
limited to ``technology'' companies but are experienced by companies 
across all industries from agriculture to manufacturing. U.S. 
businesses of all sizes rely on the Internet to manage their 
relationships with customers and supply chains; digital commerce has 
spread widely and is even creating completely new industries.
    However, U.S. competiveness is threatened by the imposition of 
trade barriers that create market access barriers, discriminate against 
U.S. firms, and limit the movement of data across borders. In this 
submission, the U.S. Chamber would like to highlight five of the top 
barriers our companies are facing abroad: (1) data localization (2) 
local content requirements (3) standards (4) privacy and cybersecurity 
(5) intellectual property. In addition, we have provided an annex that 
lists specific barriers per country.
    1. Data Localization: Data localization barriers continue to be one 
of the most prevalent and impactful barriers to American companies who 
are forced to localize their operations. The movement of data through 
the global economy is becoming just as important as the ability to move 
goods, services, or capital. Further benefits will not be realized if 
data does not have the ability to cross borders.
    Data localization requirements directly limit the movement of data. 
Some common requirements U.S. companies are facing include mandatory 
establishment of a data center or physical presence within a 
jurisdiction in order to operate as well as restrictions on how data 
can be transferred internationally. Data localization creates higher 
costs for U.S. companies raise costs for companies and disrupt their 
global operations by creating silos of data. In addition, many of the 
countries requiring data to be stored locally lack the necessary 
infrastructure to ensure ease of doing business and security.
    2. Local Content Requirements: Local content requirements require 
firms to use domestically manufactured goods or domestically supplied 
services in order to operate in an economy. Foreign governments are 
increasingly mandating the use of local content in an attempt to boost 
the local economy, enhance skills and capabilities, and boost 
employment.
    Countries are increasingly trying to encourage indigenous 
innovation through local content requirements, particularly linking 
specific requirements to government procurement contracts and 
standards.
    3. Standards: As technology continues to evolve, standards must 
evolve as well. Voluntary, industry-led, globally recognized standards 
will drive secure, flexible, and interoperable solutions that scale 
across a global ecosystem. Internationally recognized standards enable 
interoperability helping to expand the access business, government, and 
consumers have to global markets.
    However, many countries continue to set their own onerous local 
standards rather than utilizing internationally accepted standards, 
assessments, and certifications. Over 80 jurisdictions have created new 
ICT-related technical standards, many of which are not consistent with 
global standards and norms.
    These types of standards create a hodgepodge of sometimes 
conflicting and overlapping requirements that disrupt global supply 
chains. Others have unnecessary requirements that companies duplicate 
testing or approval, even though standards between the United States 
and that country are similar. Redundant and unnecessary in-country 
testing and certification requirements create a costly burden for 
American companies trying to enter or already established in the 
market.
    4. Privacy and Cyber Security: As the movement of data increases, 
data privacy and security have become growing concerns around the 
globe. While privacy and security standards are necessary in order to 
ensure consumer protection, consumers and businesses also need to be 
able to move and access data. However, governments often enact measures 
that interfere with these needs without a good regulatory 
justification, creating difficulties for companies conducting business 
in-country and worldwide. It is important to note that these challenges 
are not necessarily traditional ``trade'' type problems where trade 
tools are well situated to tackle concerns. More often these issues 
require intensive engagement on the part of U.S. regulators engaging in 
regulatory cooperation type activities.
    While privacy and cybersecurity regimes can create regulatory 
challenges that impede digital trade, the motives are not always easily 
discernable to label them clear attempts to obfuscate trade 
commitments. Many countries have cited privacy and cybersecurity 
concerns as the basis for requiring foreign companies to store data 
within national borders. U.S. regulators should engage with their 
international counterparts to identify their regulatory objectives with 
regards to privacy or cyber security in order to determine whether less 
trade restrictive solutions can be identified.
    5. Intellectual Property: In a rapidly evolving digital age, 
adequate protection for digital products and services is critical to 
supporting 21st century creativity. As IP-driven creative and 
innovative content is increasingly consumed digitally, effective IP 
protections must be in place and enforced online. Strong IP protections 
provide the legal certainty needed to incentivize investment in the 
newest, next-generation technologies and help ensure that these 
technologies will be appropriately protected from bad actors and unfair 
market practices that discourage future investment. Moreover, strong IP 
protections incentivize investment in high-quality content creation 
that drives global Internet traffic to legitimate digital platforms.
    In particular, companies are increasingly facing requirements to 
disclose source code and algorithms as a condition for market access. 
This is proprietary information that enables companies to deliver 
cutting edge research, products, and services. Further, some countries 
that require source code and algorithm disclosure use that information 
to prop up their own domestic industry, which in turn erodes the 
ability of U.S. companies to compete.
    The Chamber has released an annual International IP Index that 
illustrates how economies with strong IP systems are more likely to 
derive the following benefits:

   26 percent more likely to benefit from access to the latest 
        technologies

   Provide up to three times greater access to licensed music 
        online

   Generate nearly three times more theatrical screenings of 
        feature films

   Generate twice as many video-on-demand and streaming 
        services

   Generate almost 3 times more online creative content

   62 percent more likely to have larger and more dynamic 
        content and media sectors

    To further underscore our points above, we have compiled a non-
exclusive annex of digital trade barriers that U.S. companies face 
across key markets. We appreciate the opportunity to comment and 
welcome further opportunities to assist USITC with its investigation of 
business-to-business and business-to-consumer digital trade barriers.
                  Annex: Specific Concerns by Country
Brazil
    Data Localization: Brazil has a number of proposed regulations 
requiring data localization. In particular, the Marco Civil da Internet 
(Law No. 12,965/2014) and recently, the Personal Data Protection Law 
Draft Bill. Marco Civil da Internet was enacted in 2014. Described as 
``The Constitution of the Internet'', the law is aimed at defending 
privacy rights and net neutrality. Although, the provision for data 
localization was proposed and debated, it was not included in Marco 
Civil da Internet.
    Local Content Requirements: Brazilian law includes a number of 
local content requirements. The forced localization policies limit the 
legitimate content that Brazilian consumers can access, which could 
force users to seek out the content on illegitimate sites. The local 
content requirements also disrupt the existing supply chain and inhibit 
the growth of new technologies.
    The Plano Brasil Maior, aimed at boosting the competitiveness of 
the domestic industry, has led to the implementation of the Buy 
Brazilian Act. In public bidding, a preference margin of 25 percent is 
given to goods or services that are produced domestically and comply 
with local technical regulations. It promotes goods and services 
created by local companies, and companies that invest in research and 
development in Brazil. Furthermore, the law allows for ``strategic'' 
ICT goods and services public procurements to be restricted to local 
bidders. Other than the Buy Brazilian Act, Decree 7174 regulates the 
procurement of ICT goods and services of the public sector. Government 
bodies are to provide preferential treatment to locally produced ICT 
goods and services based on a non-transparent price/technology matrix. 
While cross-border ICT service vendors are not excluded from public 
procurement, protectionist measures such as the Buy Brazilian Act and 
Decree 7174 put them at a great disadvantage.
    In addition, the Basic Production Process (Article 3 of Law No. 
8248 from October 23, 1991) has provisions that offer government 
procurement preferences for goods and services that employ technology 
developed locally. The Basic Production Process requires the employment 
of goods/machines produced locally or technology developed locally.
    Within the telecommunications sector, Brazil has barriers to 
foreign participation in the telecommunications sector. According to 
the Federal Constitution, article 21, XI and Decreet No. 2.617 article 
1, in order to receive authorization from Anatel, the National 
Telecommunications Agency, a company must be headquartered in Brazil 
and have 51 percent of national capital. Indirect participation is 
allowed through an intermediary, uncertainty on these provisions 
remains around the ability for foreign companies to participate in the 
telecommunications sector.
    Privacy: Brazil currently has two data protection bills pending, PL 
4060/2012 (House bill) and PLS 330/2013 (Senate bill). These bills 
mimic the European Union's General Data Protection Regulation (GDPR) 
but have even more stringent provisions. The proposed definition of 
personal data is expansive and ambiguous, framing almost all general 
personal information as personal data.
    The draft bills aim to protect the processing of personal data in 
order to guarantee the free development of the natural person's 
personality and dignity. Bill No. 5276/2016 stipulates a provision 
regulating the international transfer of data. This article could 
potentially be a barrier for the provision of cross-border ICT 
services. It stipulates that cross-border data transfers are only 
allowed if the corresponding countries share an equivalent level of 
data protection to that of the Brazilian law.
    The draft bills do not provide a list of countries whereby 
international data transfers are permitted. Sources report that these 
bills are heavily modelled on the European Data Protection Directive. 
Accordingly, the EU commission has presently recognized the following 
countries as providing adequate data protection: Andorra, Argentina, 
Canada (commercial organizations), Faeroe Islands, Guernsey, Israel, 
Isle of Man, Jersey, New Zealand, Switzerland and Uruguay. As such, 
should the Personal Data Protection Law be enacted, Brazilian companies 
that have their data stored outside of the countries listed above will 
have to repatriate their data and rely on domestic data centers. 
Accordingly, the law will limit the breadth of ICT services that would 
otherwise be available to local companies.
    Digital Piracy: Online piracy remains pervasive in Brazil, greatly 
limiting economic and cultural opportunities for Brazilian and American 
creative industries alike. Because increased broadband use has 
accelerated the expansion of pirated works online, steps must be taken 
to develop a legitimate online marketplace which adequately protects 
copyrighted works. Of note, in 2017, a new important player has gained 
force in the Brazilian piracy ecosystem which further undermines 
protection for copyrighted content online: illegal streaming devices, 
such as the HTV box, which offers the entire grid of live TV paid 
channels, as well as a VOD service with movies and TV shows, illegally 
sourced. Furthermore, industry reports that over 50 percent of the 
products on the main Brazilian e-commerce platform, 
Mercadolivre.com.br, are counterfeit. Brazil's copyright environment 
could be significantly strengthened through the creation of an 
effective and timely mechanisms to combat online copyright 
infringement, most notably expanding the availability of injunctive 
relief to prevent access to infringing materials.
    Standards: The United States and Brazil are both participants in 
CITEL. Brazil should implement the Inter-American Telecommunication 
Commission (CITEL) Mutual Recognition Agreement (MRA) with regards to 
the United States. This would allow the United States and Brazil to 
agree to mutual recognition of conformity assessment bodies and mutual 
acceptance of the results of testing and equipment certification 
procedures in regards to telecommunications equipment.
    Cloud Computing Security Regulation: The Brazil Central Bank's 
draft cloud computing security regulation (Public Consultation Notice 
57/2017) includes a number of provisions which are concerning to 
industry. These include:

   Provisions that require data to be stored within Brazil

   Onerous company reporting requirements which will 
        potentially damage companies' ability to implement best in 
        class security solutions

   Prescribing specific security solutions which limit 
        companies' ability to assess and manage cybersecurity risks to 
        their business

   Mandating broad cyber incident reporting requirements which 
        will create an administrative burden on companies and 
        regulators without increasing security

   Requiring that companies share sensitive commercial 
        information without a clear regulatory or investigatory purpose

   Creating potentially overlapping cybersecurity regulatory 
        requirements

    The Central Bank has indicated a willingness to engage with 
stakeholders. We intend to work with them to remove these concerning 
provisions.
China
    Digital Piracy: With respect to online piracy, there has been some 
progress in recent years in government enforcement against distribution 
of infringing content. Chinese enforcement authorities have begun to 
crack down on illegal distribution of content, and rights holders have 
successfully sued websites engaged in brazen infringement, in some 
cases supported by the National Copyright Administration of China 
(NCAC). Not surprisingly, the legitimate market has responded 
positively to this crackdown on illegal activity. However, China still 
lacks effective tools to encourage cooperation of Internet 
intermediaries, ensure rapid takedown of infringing content, take 
action against repeat infringers, and provide proactive measures to 
address piracy. The NCAC national campaign, pushing ahead the third 
amendment of the Copyright Law, and the new NCAC guidelines for cloud 
services have been good steps in the right direction, but much more 
still needs to be done. Increased criminal actions against online 
infringers and additional measures against Internet service providers 
and online platforms that knowingly host infringing content should be a 
priority in the coming year.
    There is an additional type of piracy that has become rampant 
throughout Asia--illicit streaming devices such as media boxes, set-top 
boxes, or other devices that allow users, through the use of piracy 
apps, to stream, download, or otherwise access unauthorized content 
from the Internet. ISDs are part of a sophisticated and integrated 
online ecosystem facilitating access to pirated audiovisual materials. 
These devices have emerged as a significant means through which pirated 
motion picture and television content is accessed on televisions in 
homes in China. China is a hub for the manufacture of these devices. 
The devices may be promoted and/or advertised to enable infringement of 
copyright or other illegal activities. Chief among these activities 
are: (1) enabling users to access unauthorized decrypted motion 
pictures or television programming; (2) facilitating easy access, 
through apps, to remote online sources of unauthorized entertainment 
content including music, music videos, karaoke, motion pictures and 
television programming, video games, and published materials; and (3) 
pre-loading the devices with infringing apps that provide access to 
hundreds of high definition (HD) motion pictures prior to shipment or 
allowing vendors to load content upon import and prior to sale, or as 
an ``after sale'' service. The Chamber notes that the Beijing 
Intellectual Property Court held a set top box manufacturer liable for 
streaming unauthorized content under secondary liability theory in 
2015. The Chamber is hopeful that China will take a firm stand against 
this type of infringing activity and take enforcement efforts to 
eradicate the problem, including against exports.
    The issue of online journal piracy continues in China and appears 
to be worsening. Unauthorized services sell online access to, or copies 
of, journal articles without the authorization of--or payment of 
compensation to--publishers. These unauthorized services undermine the 
investment that international (and Chinese) publishers make in journal 
publishing, which helps to deliver high quality journals that are 
critical to the advancement of science, technology and medicine within 
China and globally. Timely enforcement and effective deterrence is 
critically important. China's failure to conclude the investigation of 
the case against KJ Med illustrates the remaining enforcement 
challenges that allow such an entity to continue its operations.
    Publishers also continue to be concerned about ``sharing 
services,'' which are open online platforms where users can upload and 
share documents. These services, such as Baidu Wenku, Sina, and Docin, 
employ ``digital coin'' systems, whereby coins earned through uploading 
documents may be used to ``purchase'' English language and Chinese 
translations of trade books, textbooks, and journals for download. 
These sharing services have ineffective notice and takedown processes 
for reporting and addressing infringements. Other online entities sell 
login credentials that are used to gain unauthorized access to 
proprietary online journal databases.
    Data Localization: The Chinese government is exerting greater 
control over where commercial data is stored and how it is transferred, 
thereby skewing the decision making of foreign companies that must 
decide where products are made and innovation takes place.
    Data localization requirements have appeared in a wide range of 
Chinese policies, making their impact broadly felt across all sectors 
of China's economy, including banking, insurance, credit rating, 
mapping, healthcare, power generation, and cloud computing. These 
policies are restricting the ability of companies to compete in the 
China market as multi-national companies.
    Below is the primary legal framework and authority for data 
localization:

    Cybersecurity Law (CSL): Effective June 1, 2017, China's CSL 
provides a legal framework and basis for data localization. It sets 
forth a potentially expansive scope to store personal information and 
important data--both vaguely defined terms--within China's borders. 
Article 37 of the law requires all personal information and important 
data gathered or generated by critical information infrastructure (CII) 
operators to be stored in China. CII operators can transfer 
information/data out of China if they have a necessary business 
requirement and conduct and pass a security assessment (see section 
below on cross-border data flow for details about the security 
assessment).
    The definition and scope of CII is essential to assessing the data 
localization requirement on industry. Article 31 of the CSL gives a 
broad definition that is both vague and expansive, and requires the 
State Council to formulate a specific CII administrative regulation.
    Regulation on the Protection of Critical Information Infrastructure 
(CII): Issued for public comment in July 2017, this draft regulation 
sets forth significant and stringent regulatory obligations, including 
requirements to store important data and personal information locally 
and a mandatory review process to move data outside China. Similar to 
the CSL, the draft regulation provides a broad and unclear scope for 
CII--including everything from telecommunication networks, broadcasting 
networks, Internet and other information networks, to organizations 
that provide cloud computing, big data, and other information 
services--that creates significant uncertainty for businesses.
    The Chamber expects China's Technical Committee 260 (TC 260) to 
issue guidelines on CII to provide further guidance on CII designation. 
The business community urges the Chinese government to define CII 
narrowly to only the most sensitive systems, such as the Communist 
Party of China, the Central Government, and the People's Liberation 
Army but not including state-owned enterprises, local governments, and 
healthcare and education institutions. Regrettably, it appears the 
reverse may be happening; a recent National People's Congress work 
report found over 12,000 CII systems.
    Personal data protection/privacy measures: As China develops its 
privacy and data protection regime it is critical to engage relevant 
stakeholders to ensure interoperability and benefit consumers, 
industry, and governments alike. The U.S. business community is 
concerned that China has been hesitant to address privacy protection 
and enforcement issues through international cooperation. At present, 
China is not a member of the APEC cross-border privacy rules system or 
the cross-border privacy enforcement arrangement, and its data storage 
and security assessments are incompatible existing or emerging 
frameworks, including APEC, the General Data Protection Regulation, 
Pacific Alliance, and the NAFTA update. Industry is concerned that 
China approach to data protection and privacy--which unreasonably 
focuses more on where rather than how data is stored in the name of 
privacy and cybersecurity--will risk fragmenting the Internet along 
national or regional borders.
    China has neither an omnibus privacy/data protection law, nor a 
single data protection authority responsible for enforcement. Rather, 
it regulates and enforces privacy through a number of industry-specific 
regulations and agencies. Some Chinese officials are calling for a 
stand-alone Privacy Law; however, it is still likely several years 
away.
    The below list represents a non-exhaustive list of the main laws 
and regulations currently governing personal data protection and 
privacy.

    Cybersecurity Law: China's CSL adopts and modifies existing 
regulation on privacy issues and codifies them into law. The CSL 
requires user consent for the collection of personal information. Such 
requirements apply to network operators rather than being applicable to 
data collection generally by all potential data collectors. Network 
operators--which is loosely defined and could mean any network--will be 
subject to several requirements on collecting and using personal 
information, including ensuring the collection and use is legal, 
proper, and necessary, removing/correcting errors in personal 
information, and informing authorities in the event of a data breach or 
likely data breach.
    Personal Information Security Specification: In initial drafts of 
the Specification, explicit consent was required for the collection and 
use of personal information. The final draft, however, removed the term 
``explicit'' from consent for certain items. This change may signal a 
potential easing on the consent requirement to allow implied consent. 
However, because the specification does not expressly state that 
implied consent is allowed, it may lead to uneven implementation by 
enforcement agencies.
    Moreover, because the CSL does not allow the collection of personal 
data outside consent, it creates incoherence between law and standard. 
Consequently, despite some optimism, uneven and selective enforcement 
appears to be the most realistic result.
    As China's data and privacy measures are in a state of flux, it is 
critical that the U.S. Government continue to monitor ongoing 
developments and their impact on industry.
    Restrictions on cross-border data flows: In addition to the 
policies discussed in the above data localization section, China also 
maintains specific regulations and standards aimed at cross-border data 
flows:

    Security Assessment Measures for Exporting Personal Information and 
Important Data: The Measures introduced by Cyberspace Administration of 
China (CAC) in April 2017 implement Article 37 of the CSL, outlining 
security assessment requirements for companies that export data 
overseas. While the CSL only requires a security assessment for CII 
operators, the Measures significantly expand the scope of cross-border 
data flow restrictions to all network operators, which could 
conceivably encompass any company. After significant pushback from 
industry, CAC granted a 19-month grace period (which will take effect 
December 2018) for businesses to comply with the Measures, but it does 
not appear to have addressed industry's substantive concerns.
    Guidelines for Cross-Border Data Transfer Security Assessment: 
China's TC 260 issued the draft Guidelines for public comment in 
October 2017. The latest draft broadens the definition of ``operations 
within the territory of China'' to network operators that are not 
registered in China but provide products or services inside the 
country. It also expands the definition of data exports to data that is 
not transferred to or stored outside of China but is accessed and 
viewed by overseas individuals or organizations (excluding public 
information/websites). Regrettably, these guidelines intensify foreign 
companies' concerns about the outlook of China's data regulation.
    In combination with China's data localization requirements, the 
cross-border data flow restrictions are raising costs and creating an 
uneven playing field. Restrictions on cross-border data transfer 
advantage domestic companies through easier access to data on one of 
the world's two largest national populations as data is regarded as a 
national strategic resource.
    We welcome the recent U.S. Government filing at the WTO that calls 
upon China to refrain from implementing the CSL and various 
implementing measures. The U.S. Chamber and our members agree with the 
U.S. Government that implementation of these measures would disrupt, 
deter, and in many cases, prohibit cross-border transfers of 
information that are routine in the ordinary course of business.
Technical Standards
    Commercial cryptography/encryption regulations: The Chinese 
government is in the process of drafting its first Encryption Law. The 
below summary highlights industry's main concerns:

    Draft Encryption Law: China's draft Encryption Law takes an overly 
broad regulatory approach towards commercial encryption that could have 
a large impact on trade in ICT products in China. Key provisions of 
concern include strict and intrusive import/export licensing regimes 
for commercial products with encryption, requirements to use mandatory 
national standards, burdensome testing and certification requirements, 
and broad enforcement powers that could require disclosure of sensitive 
and confidential business information. Moreover, the Cryptography Law 
limits participation by foreign companies to one of the three 
categories of encryption and only under strict regulation. Because 
encryption is a standard feature of almost all technology products, it 
could have significant impact on a wide range of companies.
    Market-specific testing and certification requirements: China uses 
a number of testing, certification, and standards requirements that not 
only restrict companies' ability to access and compete in the market, 
but also put valuable IP and proprietary information at risk of theft 
or exposure.
    Secure and Controllable: ``Secure and controllable'' is one of the 
clearest and most concrete examples of discriminatory treatment through 
a standard. The basic secure and controllable concept is incorporated 
into both the National Security Law and the CSL, giving it a legal 
basis.
    Although never formally defined, regulations and guidelines using 
the term indicate that companies' information communications products 
would not be able to qualify as ``secure and controllable'' unless they 
surrender key technologies, such as source code and encryption 
algorithms, to Chinese authorities. In recent draft standards issued by 
the Chinese TC 260 committee on CPUs, operating systems, and office 
suites, the ``secure and controllable'' score is linked directly to IP 
disclosure (i.e., the more IP an applicant discloses the higher its 
score).
    The Chinese government has asserted that the secure and 
controllable concept was introduced to ensure information technology 
products and services used in Chinese networks--ranging from commercial 
enterprises to government institutions--were secure. While every 
country is justified in protecting its national security, it should not 
be used as a pretext to pursue and mask industrial policy. In 2015, 
Presidents Obama and Xi agreed not to impose nationality-based 
conditions or restrictions on the purchase, sale, or use of ICT 
products by commercial enterprises. Since the commitment was made, U.S. 
industry has not seen a reversal of the policy. To the contrary, there 
has been a proliferation of secure and controllable policies across 
industry sectors, which calls into question China's commitment to the 
2015 agreement.
    Trade-inhibiting security reviews may weaken security, constitute a 
technical barrier to trade as defined by the WTO, and put valuable 
American IP at risk of inappropriate disclosure. As Chinese companies 
ascend the value chain and master more advanced technologies, state-led 
security reviews and testing may be used to block foreign companies 
from the China market and thereby allow domestic champions to build 
economies of scale in a protected market from which they can compete 
globally.
    With the passage of the CSL and the issuance of draft security 
measures and finalized equipment catalogues, these potential concerns 
are beginning to take shape. According to the CSL, all CII operators--
which may cover a large swath of commercial industries--buying 
communications networking products and services are required to undergo 
a security review. The potentially broad scope of this requirement and 
the intrusive aspects of review--including the possible required 
disclosure of source code, algorithms, and other sensitive IP--may 
result in U.S. companies being either marginalized from the market or 
forced to disclose valuable information.
    The Network Products and Services Security Review Measures: The 
pilot measures for security assessments have provisions that aim to 
raise the overall level of ``secure and controllable'' content and use 
non-security review criteria, such as dominant market position, in the 
assessment. These policy measures also include a number of elements 
that appear unjustifiably intrusive, including allowing officials to 
enter offices and question staff.
    Catalogue on Key Network and Specialized Equipment Security 
Products: For products falling within the Key Network and Specialized 
Equipment Security Products Catalogue, companies are required to 
undergo an unspecified government security-examination or obtain a 
security certification to be sold in the commercial market. The 
Ministry of Public Security and CAC, among other agencies, are 
responsible for certifying the testing laboratories. Whether it is 
through the security assessment measures or the catalogue's examination 
or certification, companies may be required to either meet subjective 
criteria or disclose an excessive and burdensome amount of sensitive 
information that is unnecessary for its stated objective. Although this 
catalogue constitutes a technical regulation as defined in the WTO TBT, 
China has not notified the catalogue to the TBT.
    Multi-Level Protection Scheme: In addition to the above recently 
issued security reviews, industry continues to have concerns about the 
Multi-Level Protection Scheme (MLPS). MLPS, first issued in 2007, is a 
rating system aimed at promoting indigenous innovation by mandating 
certain products used in Chinese information networks be developed and 
produced by entities invested by Chinese citizens or controlled by the 
State. MLPS imposes significant restrictions on procurement that 
unjustifiably restrict foreign companies from accessing the market.
    More recently, companies report that the scope of MLPS is 
broadening and the requirements are becoming more onerous. MLPS 
mandates that a broad spectrum of advanced IP-intensive systems, 
including commercial insurance, cloud computing, big data, mobile 
Internet of Things, and industrial controls, that go well beyond 
national security, contain not only indigenous innovation but 
indigenous IP. As a result, companies face a stark choice between 
transferring their core IP or losing market access.
Market Access
    Administrative Licensing: Misuse of administrative licensing 
procedures provides a potential opportunity for a company's market 
access to be restricted or trade secrets or proprietary information to 
be put at risk of unnecessary disclosure. For U.S. companies operating 
in China, administrative licensing (i.e., difficulty or exclusion from 
obtaining required licenses) remains a top concern, ranking among the 
top five challenges for industry overall, and technology and R&D 
industries, in particular. According to the 2017 AmCham China survey, 
opaque, unpredictable, and burdensome licensing procedures, at the 
central, provincial, and local level, can ultimately amount to market 
access barriers.
    Telecommunication (BATs and VATs): The telecommunications industry 
provides an illustrative example of how licensing is interconnected 
with market access and technology transfer. China divides its 
telecommunications sector into two categories: basic and value-added 
(VAT). Within its VATs category, China takes an expansive view that 
encompasses ``computer and related services (CRS),'' such as cloud 
computing, that use a telecom network to supply a computer service. By 
classifying relatively new technology offerings as VATs, China is 
circumventing its WTO market access commitments for CRS based on its 
domestic classification system. Per the Guiding Catalogue on Foreign 
Investment, both telecommunications categories are subject to joint 
venture and equity cap restrictions.
    Companies operating in either category are generally required to 
obtain an operating license. However, the requirements are often overly 
burdensome, and in certain circumstances, only a local entity can 
obtain a license. This general inability to obtain a license puts 
foreign companies in a highly disadvantageous position. Moreover, 
because the Chinese government not only owns and controls all major 
operators in the telecommunications industry but also regulates it, 
there exists a potential conflict of interest.
    To enter the telecommunications market, companies are all but 
forced to joint venture with a Chinese company that holds sole 
possession of the required license or licenses. As a result, the 
discriminatory licensing regime creates an uneven playing field on 
which Chinese companies are able to set extractive terms--including 
mandating technology transfer--for the joint venture.
    Virtual Private Network Regulation: On January 17, 2017 China's 
Ministry of Industry and Information Technology issued its Circular on 
Cleaning up and Regulating the Internet Access Service Market, which 
took effect on March 31, 2018. Industry is concerned that this circular 
could be disruptive to foreign-service suppliers and their customers in 
China, resulting in new constraints on market access and unnecessary 
burdens. The U.S. Chamber of Commerce supports the communication from 
the United States at the WTO Council for Trade in Services in February 
2018, and encourages the U.S. Government to work in concert with its 
trading partners to mitigate the adverse impact of the Circular on the 
business community.
    The sections below highlight two sector-specific examples in the 
electronics payment and cloud computing industry on how China uses its 
administrative licensing and regulatory regime to block market access 
or force technology transfer:
    Electronic Payments: Approximately 10 years after China agreed to 
open its market to foreign electronic payment service (EPS) providers 
under its WTO accession agreement, and following an adverse ruling at 
the WTO in 2012 against China's EPS practices, U.S. EPS providers still 
are unable to participate in China's EPS market. Meanwhile, China's 
electronic payment service (EPS) suppliers, mobile payment companies, 
and bank card issuers dominate the domestic market and are making 
significant inroads into global markets, including the United States.
    As part of the U.S.-China 100-Day Action Plan, China committed to 
``issue any further necessary guidelines and allow wholly U.S.-owned 
EPS suppliers to begin the licensing process, which should lead to full 
and prompt market access.'' While China complied with its commitment to 
issue new guidelines, China has yet to clarify if greenfield 
investments by U.S. EPS suppliers are subject to national security 
reviews in order to obtain their licenses. Further, there remain 
questions surrounding the review process, including which Chinese 
governmental and non-governmental entities would be involved, as well 
as the sequence and time-frame by which the review will occur.
    More recently, the People's Bank of China issued an announcement 
that it will require all personal and financial information collected 
or generated by foreign payment institutions to be stored, processed, 
and analyzed in China. As a result, even if market access is eventually 
given to foreign companies, localization requirements will apply to all 
their data.
    Cloud Computing: While U.S. cloud service providers have been at 
the forefront of the movement to the cloud in virtually every country 
in the world, China has imposed onerous regulations on foreign cloud 
service providers--effectively barring them from operating or competing 
fairly in China. Chinese laws and regulations on non-Chinese cloud 
service providers force U.S. cloud service providers to transfer 
valuable intellectual property, surrender use of their brand names, and 
hand over operation and control of their business to a Chinese company 
in order to sell in the Chinese market, as well as separate the local 
instance of the cloud service from the global instance, creating 
interoperability issues.
    More specifically, these measures (1) prohibit foreign cloud 
service providers from operating cloud services; (2) prohibit direct 
equity participation of foreign cloud service providers in Chinese 
cloud companies; (3) prohibit foreign cloud service providers from 
signing contracts directly with Chinese customers; (4) prohibit foreign 
cloud service providers from independently using their brands and logos 
to market their services; (5) prohibit foreign cloud service providers 
from contracting with Chinese telecommunication carriers for Internet 
connectivity; (6) prohibit foreign cloud service providers from 
broadcasting IP addresses within China; (7) prohibit foreign cloud 
service providers from providing customer support to Chinese customers; 
and (8) require any cooperation between foreign cloud service providers 
and Chinese companies be disclosed in detail to regulators. These 
measures are fundamentally protectionist and anti-competitive.
Intellectual Property Rights
Technology Transfer
    Compulsory Licensing: Compulsory licensing is not a new concept 
within China's legal and regulatory frameworks. A provision in SAIC's 
IP enforcement rule promulgated under the Anti-Monopoly Law (AML) could 
be used in some cases to force U.S. companies to license their 
essential technologies to Chinese companies. Furthermore, China's 
Patent Law includes a provision on compulsory licensing that may, if 
applied broadly, impose an unreasonable obligation for patentees to 
provide their technology to Chinese competitors.
    China is also exploring tying compulsory licensing to state 
funding. The State Council issued in July 2017 a Guiding Opinion that 
discusses compulsory licensing of patents that are obtained with 
funding from the state. This approach raises significant concerns for 
companies that would choose to accept public money to conduct R&D in 
China, including under industrial plans such as Made in China 2025 and 
Strategic Emerging Industries, as they could be forced to license their 
IP to the Chinese government. This policy, if implemented, would 
undermine innovation and diverge from the spirit of comments made by 
Minster Miao Wei that Made in China 2025 would not compel a technology 
transfer.
    Draft Export Control Law: China's draft Export Control Law--which 
includes factors such as economic development and industrial 
competitiveness in determining control lists--is creating uncertainty 
about whether technology developed by foreign companies in China-based 
R&D centers can be exported, thereby creating a non-market restraint on 
a companies' ability to commercialize their technology.
    Requirement to Disclose: While China is a signatory to the WTO, it 
appears that China does not use its commitments in the WTO Agreement on 
the Technical Barriers to Trade (WTO TBT) as a basis for its legal and 
policy frameworks for standardization. As a result U.S. companies face 
a variety of challenges associated with standardization in China, 
including not being able to fully participate in standards setting 
bodies, domestic standards where international standards already exist, 
non-notification of technical regulations to the WTO, and Chinese 
standards that either forcibly include or exclude foreign technology.
    Draft Standardization Law: Unfortunately, these trends appear to be 
worsening. For example, the September 2017 draft of the Standardization 
Law expands on a public disclosure requirement that is both unique to 
China and potentially damaging to all market participants, and would 
add unnecessary costs and risks for all enterprises in China. 
Furthermore, a newly added and deeply concerning article in the latest 
draft stipulates state endorsement of incorporating indigenously 
innovated technology into industry and social standards. Combined with 
other implementation documents and public statements that allow social 
standards to be transposed to become national and industry standards, 
the inclusion by the state of a preference for indigenous innovation 
seems to create a trade barrier that would conflict with the WTO TBT.
Colombia
    Digital Piracy and IP-related Intermediary Liability: In 2016, the 
Colombian government began to review the 1982 Copyright Law, which 
would allow Colombia to partially comply with commitments made in the 
TPA. Among other elements, the draft includes a number of positive 
elements such as extending civil liability to circumvention of TPMs as 
well as to production and sales of circumvention devices, and allowing 
destruction of circumvention devices and infringing materials. In 
addition, the draft expands certain exclusive rights to authors and 
phonogram producers. At the same time, the text also seeks to update 
copyright exceptions by adding exceptions for library and research use 
and for temporary electronic copies not involving commercial gain, 
among others. Moreover, it introduces statutory damages for copyright 
infringement (although the actual amounts must be decided by decree) 
and would increase copyright protection to 70 years for works for hire 
as well as for phonograms and broadcasts. However, it falls short of 
addressing other key gaps in the online copyright regime, including in 
relation to ISP liability and assistance in takedown of infringing 
content online. While Colombia's commitments go ignored, levels of 
piracy there continue to grow, increasingly online. There is no serious 
effort on the part of Colombian law enforcement to prosecute 
administrators and owners of websites, blogs, and ``hubs'' involved in 
the distribution of illegal files. Copyright protection in Colombia 
could be strengthened through the implementation of the FTA provisions 
and by further mechanisms to combat online piracy.
European Union
    Digital Single Market: Europe's approach to the single-market is 
always most successful when it aims to remove trade barriers between 
the Member States and not to limit competition in a misguided attempt 
to support the single-market. Unfortunately, since announcing the DSM 
as a priority, the initial ``win-win'' framing of the exercise has 
faded as some European officials have sought to use the DSM to handcuff 
the competiveness of U.S. companies. The anti-American approach at 
times reflects an intellectually sloppy critique of government 
surveillance programs that lumps in unrelated private business 
activities; at other times, it betrays a misunderstanding of the best 
practices required to build domestic industry. In any event, it is 
important that the DSM remain focused on keeping Europe open for 
business within Europe and connected to the rest of the global economy.
    Data Privacy: The General Data Protection Regulation (GDPR) will go 
into effect May 25, 2018. Ambiguity around the implementation of this 
agreement remains. Only two EU Members States, Austria and Germany, 
have finalized implementing legislation around the GDPR. This 
regulation will impede the ability of American companies to access and 
utilize European citizen data.
    GDPR will come into force in May 2018, and companies are expected 
to be in full compliance by then. Yet, guidance from data protection 
authorities has been slow to come out, and many U.S. and European 
companies still have a number of compliance questions. Consistent 
implementation of GDPR across all EU member states represents an 
immense regulatory challenge for the EU that has consequences for EU 
competitiveness in the digital economy in addition to American firms 
doing business there.
    Further, the EU-U.S. Privacy Shield has come under scrutiny by the 
EU's Article 29 Working Party (WP29), in which it has called for the 
U.S. Government to prioritize the appointment of an Ombudsperson and 
members of the Privacy and Civil Liberties Oversight Board (PCLOB). It 
has called on the U.S. Government to address these concerns by May 25, 
2018. The WP29 also outlined a number of other concerns in its November 
2017 Opinion on the EU-U.S. Privacy Shield, and calls for these to be 
addressed at the second joint review. The WP29 states in this opinion 
that if the concerns are not address in in the given time frames, the 
members of WP29 will take appropriate action, including bringing the 
Privacy Shield Adequacy decision to national courts and the European 
Court of Justice.
    The Privacy Shield is vitally important for American and European 
companies to continue to transfer data across the Atlantic and do 
business and sets a high standard for the protection of consumer data. 
The EU-U.S. Privacy Shield is successful on many levels:

   It facilitates the movement of data cross-border for 
        American and European businesses, while meeting the rigorous 
        privacy expectations of American and European consumers.

   It triggers a thorough review of company's privacy 
        practices, resulting in demonstrable changes to how they do 
        business and protect consumer privacy, in order to certify.

   It enhances accountability by establishing a meaningful U.S. 
        Government and EU Commission process for addressing any 
        consumer concerns that arise.

   It ensures timely and swift action in response to consumer 
        privacy concerns, though relatively few companies have received 
        complaints.

   It is accessible as more than 2,400 American and European 
        companies have been certified, half of which are small and 
        medium sized businesses.

   It serves more broadly as a model for regulatory cooperation 
        demonstrating that it is possible to find solutions that bridge 
        different regulatory frameworks.

    Cyber Security Act: The European Commission's proposed Cyber 
Security Act contains provisions for a voluntary ICT certification 
framework for connected products and services. While this does create a 
consistent framework for companies that provide such products and 
services--meaning that they can certify once, while complying Europe-
wide--we remain concerned that this will create a barrier for device 
makers to enter the European marketplace because certification is a 
costly and burdensome undertaking. In addition, it remains possible 
that the final proposal, or future updates to this proposal will 
require mandatory compliance with such provisions.
    NIS Directive Transposition: While the NIS Directive does not 
explicitly call for provisions that would act as a barrier to digital 
trade, the flexibility that it affords Member States will create 
divergent approaches to implementation which ultimately undermine the 
Digital Single Market and disproportionately limit the ability of 
international companies to operate across Europe. These include the 
ability for Member States to develop security measures for Operators of 
Essential Services (Critical Infrastructure) at the national level, 
rather than utilizing international standards, and to introduce 
divergent thresholds and reporting requirements for significant cyber 
incidents.
    Digital Piracy: Many EU economies have invested in building 
comprehensive and effective IP frameworks through domestic legislation, 
judicial decisions, and IP provisions in new trade agreements. In the 
U.S. Chamber Index, six EU economies--the UK, Sweden, France, Germany, 
Ireland, and the Netherlands--all score closely behind the U.S. due to 
the strength of their IP frameworks. However, copyright protection 
continues to be one area where the EU economies' IP legislation and 
enforcement consistently falls short. In particular, online piracy 
creates a significant impediment to digital trade throughout the 
region. Both Spain and Italy, which otherwise have very strong IP 
systems, suffer from continually high piracy rates. In order to combat 
digital piracy, the EU's e-Commerce Directive provides the authority 
for a court or administrative authority to require ISPs to terminate or 
prevent copyright infringement by third parties that use their 
services. The e-Commerce Directive also lays out the basis for 
injunctive-type relief against infringing websites in EU member states, 
while still providing a safe harbor for ISPs. Recent case law from the 
Court of Justice of the European Union and in individual EU countries, 
including Spain and Italy, illustrates that countries are implementing 
the tenants of the e-Commerce Directive to help combat digital piracy 
and better protect copyrighted content online.
India
    Privacy: Following the Indian Supreme Court ruling in August 2017 
that declared privacy to be a fundamental right for Indian citizens, 
the Indian government has to undergo the challenging task of preparing 
privacy legislation, as directed by the Supreme Court. While no 
proposed legislation has surfaced, this new regulation will have 
significant impact on American companies operating in India. It is 
essential that as India embarks on the process of developing a national 
privacy framework, it bears in mind the important economic benefits 
created by flexible approaches to the use of data, and the importance 
of enabling cross-border data flows.
    Foreign Direct Investment: The Department of Industrial Policy & 
Promotion (DIPP) does not currently allow 100 percent FDI in e-commerce 
incrementally in denoted sectors--and ultimately across all sectors. 
FDI has been relaxed in the food retail sector, which has resulted in 
the commitment of investment and opportunities to digitize markets for 
farmers and growers. Similarly, other sectors which can benefit from 
increased FDI flow need to be considered. Two sectors where it can be 
taken up are `Digital products' and `Textiles'. Digital products refer 
to computer programs, text, video, images, sound recordings, and other 
products that are digitally encoded and produced for commercial sale or 
distribution. These products are delivered over a digital network E.g. 
Music tracks, video, software, newspapers, books. These are intangibles 
its trade is deemed as trade of ``right to use'' or ``transfer of right 
to use'' just as there is ``deemed sales'' or ``transfer of right to 
use'' of tangible goods. These are the products which can be purchased 
as well as consumed digitally. Typically, digital products include 
Software (productivity tools, security software, databases, design 
applications etc.), Audio visual products--movies and television 
programs, Video games, Digital images and products, E-books, Music 
files etc. The textile industry is currently under major stress due to 
several factors including GST, reduction in exports and tariff 
advantages of other countries. An increase in FDI inflow to this 
sector, which attracted only $1.5 billion in the last 15 years, will 
ensure it reaches its potential. One of the ways of ensuring backward 
flow of FDI is by allowing market access to textile products which will 
ensure additional investment in the sector.
    Digital Piracy and IP-related Intermediary Liability: Pervasive 
digital piracy presents a significant challenge for creative industries 
operating in India. The International Intellectual Property Alliance 
(IIPA) discusses the scope of the problem in their 2018 Special 301 
submission, noting ``A September 2017 consumer survey of active 
Internet users in India showed that 94 percent of those surveyed 
downloaded pirated music content in the last six months. . .In a one-
month period, the motion picture industry estimates that 63 million 
visitors accessed the top five piracy websites (mostly torrent sites) 
in India for motion picture and television content, accounting for 440 
million page views.'' Further, studies have shown that 60 percent of 
software in India is pirated, creating an enormous cyber-security risk 
for Indian businesses and consumers. Despite high levels of software 
piracy, music piracy, and counterfeit goods, Indian law remains unclear 
about the availability and requirements of a notice and takedown system 
to combat online piracy.
    However, in what is otherwise a challenging copyright environment 
in India, a positive trend has emerged over the past few years with 
rights-holders increasingly being able to defend and enforce their 
copyrights through injunctive relief. Since 2012 there have been a 
number of cases whereby access to websites offering pirated and 
infringing content has been disabled through court orders, including 
notorious international sites like The Pirate Bay. Injunctions have 
been issued by both the High Court of Delhi and High Court of Bombay 
with the Department of Telecommunications instructing Indian Internet 
Service Providers to carry out the order. While the case law and 
procedures are still evolving (particularly with regards to disabling 
access to only specific URLs versus entire websites), we hope that this 
development will act as a strong deterrent against online piracy in 
India.
Indonesia
    Data Localization: The Indonesian government's issuance of 
Government Regulation No. 82 of 2012 on Electronic System and 
Transaction Operation (``GR 82/2012'') creates significant barriers for 
U.S. firms. In particular, it requires Electronic System Operators 
(ESOs) for public services to place a data center and disaster recovery 
center in Indonesia for the purpose of upholding justice, safeguarding, 
and upholding state sovereignty towards its citizen's data. While 
public services is not defined in the bill, it is defined elsewhere in 
Public Services Law (Law No. 25 of 2009). A company considered to be 
carrying out public services appears to be covered. The government is 
currently reviewing the definition of public services and may expand 
the regulation to include all services. Other aspects of GR 82/2012 
erect significant barriers to entry, including disclosure of encryption 
used in providing e-services and providing the encryption key to the 
government. The U.S. Chamber has repeatedly encouraged the government 
not to proceed with this regulation.
    Over-the-Top Services: In 2016, Indonesia proposed regulations 
known as ``the Draft Regulation on the provision of applications, and/
or content services through the Internet OTTs.'' In August 2017, 
Indonesia's Ministry of Communication and Information Technology (MCIT) 
released a new draft. Some changes were made, but issues remain 
requiring OTT providers to set up a permanent establishment in 
Indonesia, offer terms of service in Indonesian language and use 
Indonesia's national payment gateway.
    The proposed measures will be prohibitively burdensome for start-
ups and small-scale businesses that lack the resources to establish 
operations in Indonesia. Indonesian consumers will also be denied 
access to the full benefit of global online services and will harm 
Indonesia's competitiveness in the digital economy. On tax issues, 
Indonesia has supported a collaborative approach globally in the 
context of the Organization for Economic Co-operation and Development's 
(OECD) ongoing work on base erosion and profit shifting (BEPS). A 
departure from this approach toward sector-specific tax requirements 
before OECD's BEPS project is fully implemented will inadvertently 
create barriers to entry and discriminate against foreign providers in 
ways that are inconsistent with Indonesia's international trade 
commitments. Keeping the Internet open and free of barriers is critical 
to Indonesian consumers' enjoyment of the Internet and to enabling 
Indonesian businesses to remain competitive in the increasingly 
digitalized global economy.
    Local Content Requirements: The government also has several 
regulations regarding local content requirements, for example 
regulation 68/2015 from the Ministry of Industry imposes local content 
requirements on the manufacturing and development of mobile phones and 
communication devices.
    Indonesia maintains a number of protectionist policies, some of 
which are not enforced in practice, which keep out legitimate content, 
including a proposed 60 percent local content screen quota, onerous 
pre-production content review requirements, a prohibition on dubbing 
imported films, local replication requirement, foreign investment 
limitations, and other restrictions on the audiovisual industry.
    Under the Presidential Regulation no.54/2010 Article 104, foreign 
companies are only allowed to bid for a government procurement project 
if the bids exceed the threshold of IDR 20 billion (USD $1.49 million) 
for goods and other services and IDR 10 billion (USD $744,000) for 
consulting services. Moreover, in order to promote optimized use of 
domestic goods and services, government entities are to give 
preferential treatment in the form of price preferences to domestic 
goods and services providers, as stipulated in the Presidential 
instruction No. 2/2009. While cross-border ICT service providers are 
not excluded from government procurements, such protectionism puts them 
at a disadvantage.
    Digital Piracy and IP-related Intermediary Liability: The creative 
content community faces significant challenges in Indonesia. Digital 
piracy is persistent, enforcement is wholly insufficient, and courts 
are mostly ineffective. A significant and continued investment of 
resources and training for enforcement entities and courts and high-
level political commitment is needed.
    Indonesia has made meaningful improvements over the past year, 
though significantly more needs to be done given the scale and scope of 
piracy in Indonesia's market. In a positive development, the 2014 Act 
provided new tools to combat online infringement and the circumvention 
of technological protection measures (TPMs). Regulations implementing 
the law (Regulations No. 14 and 26) were enacted in July 2015, 
providing new administrative remedies in response to websites that 
facilitate infringement by disabling access to primarily infringing 
websites. Additionally, the Creative Economy Agency established an 
anti-piracy task force in the second half of the year. These new tools 
have already proven useful and suggest new dedication to anti-piracy 
efforts within Indonesia.
Nigeria
    Data Localization: Since 2011, Nigeria has required all point-of-
sale and ATM transactions to be processed within Nigeria. In December 
2013, the National Information Technology Development Agency (NITDA) 
issued Guidelines for Nigerian Content Development in Information and 
Communications Technology (the NITDA Guidelines) applicable across a 
wide range of of ICT products and services in Nigeria, which has come 
under subsequent revisions. The Guidelines put restrictions on the 
cross-border flow of data requiring that all consumer data collected by 
companies in Nigeria be stored locally.
    Local Content Requirements: The Nigerian government is proactively 
encouraging local content development in an attempt to boost the local 
economy, enhance skills and capabilities, and boost employment.
    Nigerian content regulations started from strategically important 
sectors such as the oil and gas industry. In 2010, the Nigerian Oil and 
Gas Industry Content Development Act 2010 No. 2 was introduced. 
According to this act, IT management consultancy services and data 
management services procured by oil and gas companies are subjected to 
50 percent Nigerian content, while other Information Systems (IS)/
Information Technology (IT) Services require 75 percent of Nigerian 
content.
    According to the NITDA Guidelines, the design, procurement, 
testing, deployment, maintenance and support shall be executed by 
Nigerian indigenous ICT Companies, Nigerian subsidiaries of 
international ICT OEMs, or Nigerian partners of international ICT OEMs. 
For example, companies determined to be Original Equipment 
Manufacturers (OEMs), for example, are required to maintain at least 50 
percent local content by value, assemble all hardware within Nigeria 
and maintain fully staffed facilities for this purpose, and maintain 
in-country research & development departments.
    International ICT companies are required to submit a local content 
development plan to NITDA, detailing creation of jobs, recruitment of 
local employees, human capital development, and value creation in the 
industry. Furthermore, ICT companies are required to host all consumer 
and subscriber data locally. Moreover, government data is mandated to 
be hosted in Nigeria within 18 months of the coming into effect of 
these guidelines. In other words, the government is attempting to 
reduce Nigeria's reliance on cross-border ICT services. However, there 
have been challenges in implementing the guidelines and in October 2015 
the Nigerian Government issued a notice in mandating compliance.
Russia
    Data Localization: Russian Federal Law No. 242-FZ companies 
collecting the Russian citizen personal data to store and process the 
data on Russian territory. Subsequent guidance from the regulator, 
Roskomnadzor, outlined that foreign companies are only able to send 
data outside of Russia as long as it was collected with the use of 
local infrastructure and remains stored and processed on that same 
infrastructure. If companies do not comply, their access to the market 
and these services can be restricted. This has forced both U.S. firms 
operating in Russia or providing services from the U.S. to rewire their 
operations, consider exiting the market, or buying server space in 
Russia to provide the same services at a higher cost.
    Federal Law No 374-FZ provides Russian agencies with the authority 
to request access to company-held data. It also requires 
telecommunication companies and Internet service providers (ISPs) to 
keep metadata and the contents of a communication sent through their 
services in Russia. Further, ISPs are required to provide the Russian 
authorities information necessary to decrypt Internet communications.
    Local Content Requirements: In its efforts to diversify and 
modernize its economy, the Russian Government has increasingly focused 
on erecting localization barriers and mandatory localization 
requirements for foreign entities to access the Russian market. The 
``New Digital Society Strategy 2017-2030'' approved in May 2017 
contains a number of localization policies including the location of 
databases and data within Russia and online payments to be made through 
Russian payment systems. Further restrictions have also been put in 
place for foreign ownership of online content providers.
    Digital Piracy and IP-related intermediary liability: Although 
online piracy remains a serious problem in Russia, the Government has 
taken a number of important, positive steps to provide new tools to 
address the issue. In 2013 and 2014, the Russian Federation signed into 
law amendments to the Civil Code Part IV, which included notice and 
takedown obligations to intermediaries upon notice of infringement by a 
rights holder and allows for disabling access to infringing sites in 
the event of repeat infringement. With regards to the application and 
enforcement of the 2013 and 2014 amendments, reports from the Russian 
government suggest that traffic onto websites with legitimate content 
was increasing as a result of the law; however, in other areas 
enforcement challenges persist. For example, online piracy rates 
continue to remain high in Russia. VK.com remains one of the most 
visited websites in the world and is included in USTR's Notorious 
Markets Report.
    In 2017 further legislative changes were introduced to strengthen 
rights-holders ability to request the disabling of access to infringing 
material online. Specifically, there were a number of important 
amendments to the ``Law on Information, Information Technologies and 
Information Protection.'' These amendments include the ability of the 
court to extend injunctive relief against so-called mirror sites that 
infringe copyrighted content. In addition, rights-holders now have the 
option of notifying the Ministry of Communications, which has two days 
to order the hosting provider to disable access to the site. 
Furthermore, Internet mediators (including search engines) are now 
obliged to remove links to sites that have been found to host illegal 
content. These are positive developments and show how Russian 
authorities are actively seeking to address the immense challenge of 
online piracy.
South Korea
    Cloud Computing: The Cloud Computing Act (CCA) and related Data 
Protection Standards for Cloud Computing Services (CCPA) discourage 
U.S. cloud services providers from entering the market. In September, 
2015, the Ministry of Science, ICT and Future Planning (MSIP) enacted 
The Act on the Development of Cloud Computing and Protection of Use, 
commonly referred to as the Cloud Computing Act (CCA), with the 
intention of developing Korea into a $3.9 billion cloud services market 
by 2018. Unfortunately, government agencies responsible for setting 
specific security guidelines for public institutions' use of cloud 
services have created a patchwork of competing directives and continue 
to erect barriers to entry that favor local cloud service providers.
    U.S. industry applauds the legislative intent of the CCA. In 
practice, however, the law deters U.S. cloud service providers from 
entering the Korean market. The current Data Protection Standards for 
Cloud Computing Services (CCPA Guidelines) require data separation and 
network separation for all public institutions utilizing cloud 
services. In Korea, this includes financial services, healthcare, 
educational and government institutions. First, the requirement to 
separate the data from the public cloud require U.S. companies create 
separate intranets for these institutions, which mitigates the 
efficiencies that cloud computing. On the second requirement, network 
separation, companies are required to build physical servers in Korea, 
which is prohibitively expensive.
    These approaches undermine the efficiencies of cloud computing by 
limiting the ability of cloud providers to leverage the economies of 
scale of an international infrastructure. This will ultimately deter 
cloud computing technologies from becoming ubiquitous in Korea, and 
will create unnecessary roadblocks for Korean firms that could benefit 
from such technologies.
    U.S. cloud service and financial service providers face a unique 
set of challenges in Korea, due to the physical network separation 
requirements established under the Regulation on Supervision of 
Electronic Finance.
    The Financial Services Commission (FSC) requires the physical 
network separation of the information processing system of financial 
companies in its Regulation on Supervision of Electronic Finance. This 
requirement prevents the introduction of cloud computing services in 
the financial services sector. In addition, when the cloud service is 
allowed, it can be introduced only to a ``non-critical information 
processing system'', which is vague and makes the introduction of cloud 
service extremely difficult in this sector. In all, this excessive 
regulation restricts the use of cloud computing services in the finance 
industry, which is contrary to the Korean government's policy to 
nurture and promote the cloud industry.
    Data Localization: Data localization requirements have improved in 
many ways, however, challenges remain for U.S. financial service 
providers and reinsurance companies.
    In June, 2015, the FSC released a revision to the Regulation on 
Financial Institutions' Outsourcing of Data Processing Business and IT 
Facilities, however the revisions have not been fully implemented. The 
revision sought to eliminate a provision that restricts offshore 
outsourcing to a financial firms' head office, branch and affiliates to 
allow outsourcing to a third party including a professional IT company.
    However, there remain some areas where companies are unable to 
transfer data across borders. For example, Korean branches of U.S. 
reinsurance companies are not allowed to transfer personal information 
offshore for data processing or storage, and similar restrictions exist 
for financial services providers. This creates inefficiencies, 
increases the risks of hacks and leaks, and puts at risk a company's 
ability to recover critical data in the event of natural or other 
disaster situation. Similarly, U.S. cloud service providers feel that 
barriers remain with regards to the transfer of certain types of data 
to professional cloud service providers.
    Discriminatory and redundant local certifications are required in 
addition to globally agreed upon standards and commitments, preventing 
the adoption of best practices related to cybersecurity, privacy, and 
encryption.
    Standards: The United States and Korea are both members of the 
Common Criteria Recognition Arrangement (CCRA), under which products 
certified at any CCRA-accredited laboratory should be recognized as 
meeting the certification requirements of any other CCRA member 
country. Despite this agreement, the Korean government requires 
additional verification of network equipment such as routers, switches 
and other information security products procured by public sector 
agencies. Compounding the burden, individual government agencies 
require their own separate conformity testing, even if the same product 
has been procured and verified by another government agency. This 
additional certification process is overly burdensome, and deters the 
adoption of best cybersecurity practices and equipment by Korean 
government agencies.
    Since 2011, the Korean government has imposed these additional 
verification requirements, and in 2014 extended similar security-
conformity testing requirements to all international CCRA-certified 
products used by all central government agencies. The government is 
expected to extend this policy to include all public organizations 
including local governments, hospitals, and educational institutions. 
There is concern from the private sector that these guidelines have 
been interpreted as requirements to buy local IT products and avoid 
foreign ones. Although the Korean government has tried to clarify these 
policies to government agencies, there has been no change in their 
implementation.
    In addition, public sector agencies procuring networking equipment 
have increasingly required the incorporation of encryption 
functionality that need to be domestically developed and certified 
(e.g., ARIA and SEED), which in effect deems the use of widely-used 
international encryption standards such as AES as inadequate. As a 
result, products such as virtual private networks and firewalls from 
U.S. companies cannot be sold to Korean public sector agencies. Going 
forward, Korea should ensure that products that are based on widely-
accepted international standards have full access to Korea's public 
sector market.
    South Korea also requires issuance of accredited certificates using 
Public Key Infrastructure (NPKI) by law. This is a technology 
recognized on the Internet and offers various supplementary services, 
including e-commerce and electronic banking activities. It also 
requires users to obtain accredited certificates when accessing South 
Korean government websites such as Yestrade (South Korea Export 
licensing system) and UNI-PASS (South Korea Import System). When the 
accredited certificates are obtained, they require many plugins and 
add-ons to install on the user's computer. This is burdensome and an 
unnecessary security standard because these plugins and add-ons can 
change a company's standard configuration and can cause other potential 
problems and risk to the user's computer
    Privacy: There has been some concern that the Korea Communications 
Commission and other regulators believe that Korea's existing Personal 
Information Privacy Act (PIPA) offers stronger protections than the 
APEC cross-border privacy rules system which Korea recently joined. 
U.S. industry fears similar duplicative requirements will be imposed on 
CBPR compliant companies, once adopted. It is our strong view that this 
approach would undercut the efficiencies gained by the APEC CBPR 
system, and U.S. regulators and certifiers should work closely with 
their counterparts in Korea to ensure that the CBPR system functions in 
the way it is intended to.
    Bandwidth Costs: Bandwidth costs in Korea continue to rise, despite 
costs falling on a global scale. South Korea may be the only country in 
the world where bandwidth costs are rising. This trend is likely driven 
by a combination of directives from the Ministry of Science, ICT and 
Future Planning designed to lower costs to consumers, and powerful 
incumbents trying to offset them. One new regulation mandates the 
commercial terms of interconnection, contrary to the model for 
`peering' that is used across most of the world. Another sets a 
prescriptive rate at which bandwidth prices should fall per year at 7.5 
percent, slower than the average bandwidth price drops around the rest 
of the world.
    Customs: Complex border measures and customs procedures are 
creating barriers for small and medium sized enterprises (SMEs) to 
leverage e-commerce opportunities.
    E-commerce has grown tremendously in recent years, and the 
emergence of new e-commerce platforms has allowed for small and medium 
sized companies to reach new customers across the globe. It has also 
created a surge of low-value, cross-border shipments. In response to 
the increased volume, governments have sought to introduce new border 
measures such as x-ray screening, additional paperwork requirements, 
and new e-commerce channels, however, such efforts are making trade 
more complex for SMEs (many of whom are new, and inexperienced 
shippers) and limiting their ability to fully leverage e-commerce 
platforms and the opportunities they create.
    Procurement: SME procurement preferences are interpreted as 
domestic procurement preferences. Korea, similar to the United States, 
provides for SME procurement preferences under certain circumstances. 
However, in Korea, the preferences are interpreted by government 
procurement agencies as a preference for domestic products, rather than 
to assist SME companies who can resell products and solutions sourced 
internationally. Directives such as ``Guidelines on IT network 
equipment installation and operation'' for public sector agencies 
stipulate the use of testing and certification requirements that are 
met only by domestic products and fail to recognize and accept products 
that meet global certifications.
    Online Travel: Online travel agencies are unable to offer non-
refundable hotel rates in Korea, limiting consumer choice. In an effort 
to increase consumer protections, online travel agencies face 
regulations in Korea that ban non-refundable hotel rates. Ironically, 
such regulations actually harm consumers by raising prices, and over 
time, harm the tourism industry -including the complimentary businesses 
associated with it.
    Digital Piracy and IP-related intermediary liability: To combat 
digital piracy, Korea has in place an administrative mechanism for 
responding to rights holder requests for removing access to infringing 
content online. The legal basis is found in Article 102(2)f of the 
Korean Copyright Act, which provides limited liability for ISPs that 
respond to a court or related administrative body order to delete or 
disable access to infringing content. In the case of Korea this order 
comes from the Korean Communication Standard Commission (KCSC), but 
based on a request from the Korean Copyright Commission (which in turn 
responds to rights holder notices of infringing content and sites). 
Industry reports suggest that as of 2017 access to over 400 infringing 
websites have been disabled in Korea under this mechanism. A 2016 study 
by the Motion Picture Association found on significant impact from the 
mechanism, including on average a 90 percent drop in visits to disabled 
sites within three months of an order. In addition, following 3 
instances of disabling a given site, the data suggested a 15 percent 
drop in visits to infringing websites and 50 percent reduction for P2P 
sites specifically. However, it should be noted that site disabling at 
the request of the Korea Communications Standards Commission more 
generally is not always used transparently or independently, with some 
concerns over censorship from civil society organization reported.
Thailand
    Digital piracy and IP-related intermediary liability: Digital 
piracy is pervasive across Thailand. The Motion Picture Association of 
America reports ``In one month, there were twenty times the page views 
to the top five piracy sites in Thailand as there were page views to 
the top five legitimate Websites.'' The Thai government has taken steps 
to close loopholes in the Thai law through amendments to the Copyright 
Act; however, in several instances they are missing key language or 
provisions that would allow them to effectively limit infringing 
activities, particularly in the online sphere. Sections 28/1 and 69/1 
make camcording in public venues an infringement, although the language 
is not as strong as that in other economies--only actual reproduction 
is criminalized without specifically including intent to copy and 
distribute, essentially precluding preventative enforcement. No 
landlord liability was introduced, which means that physical shops 
selling pirated goods are not held liable as intermediaries. The 
amendments introduce liability for ISPs and a kind of notice and 
takedown system but with several limitations that render the new law 
significantly less effective than anticipated and not a true notice and 
takedown mechanism. ISPs are not liable for non-hosted material, 
regardless of if they have knowledge that it is infringing. In 
addition, rights holders' notices must be accompanied by a court order 
for ISPs to be responsible to respond. In addition, the amendments 
involve a high burden of proof to demonstrate infringing sites. The 
2015 amendments to the Computer Crimes Act reinforce these same 
requirements and as such do not contribute to closing these loopholes. 
In 2014-15, rights holders reported a good rate of response (90 
percent) from mainstream ISPs (though not for non-hosted content); 
however, the new rules may jeopardize this trend. In terms of 
exceptions to copyright, among other exceptions, Section 32/9 of the 
copyright amendments introduce a wide exception for use by disabled 
persons that goes beyond the Marrakesh Treaty. Also, negligence 
continues on the Thai government's part to book piracy in educational 
institutions, including in relation to broad interpretations of the 
disabled person's exception. In addition, unauthorized access to and 
retransmission of pay TV and satellite programing as well as unlicensed 
public performance of copyrighted works (e.g., at entertainment venues) 
remain major challenges on the ground.
Turkey
    Data Localization: In 2013, Turkey enacted the Law on Payments and 
Security Settlement Systems, Payment Services and Electronic Money 
Institutions. This law requires Internet-based payment services to 
store data within Turkey for at least ten years.
    Privacy: Turkey finalized its Law on the Protection of Personal 
Data in 2016. Turkey's newly formed DPB is tasked with implementing the 
law and determining whether other countries provide an adequate level 
of privacy protection. The Law places heavy obligations on data 
controllers and processors, requiring consent to be explicit for the 
processing of non-sensitive and sensitive personal data.
    While personal data can be transferred to a third country, because 
the processing grounds available for sensitive personal data are very 
limited the transfer of sensitive personal data is incredibly 
burdensome. Further, if the grounds for data processing and transfer 
are anything other than explicit consent then the third country must be 
deemed to have an adequate level of data protection. If a country is 
not deemed adequate, then the DPB must provide permission for each 
transfer.
    The DPB has come out with guidelines around the implementation of 
the law. In particular, the law has several registration and record-
keeping requirements. Data controllers are required to register with a 
publicly available data controllers' registry and provide their 
``Personal Data Processing Inventory'' and ``Personal Data Retention 
and Destruction Policy'' to the DPB.
    Digital Piracy and IP-related intermediary liability: Online piracy 
is still prevalent and problematic in Turkey. The Business Action to 
Stop Counterfeiting and Piracy (BASCAP) estimates the size of the 
pirated and counterfeit market at close to USD11 billion, with 
unlicensed digital content up to one-tenth of that value and unlicensed 
software representing half of the value of unlicensed digital content.
    Turkish copyright law lacks a clear obligation for ISPs to 
expeditiously cooperate with rights holders when they have knowledge of 
infringement without an official order from a prosecutor's office or 
court. However, a basic notice and takedown mechanism, whereby rights 
holders may notify ISPs and if there is no response pursue a takedown 
through the courts, as well as requirement for ISPs to respond to a 
court's order, is present in Additional Article 4 of the Copyright Law. 
In addition, the Internet Law (No. 5651) provides for the takedown or 
disabling of access to websites for matters of ``national security, 
restoration of public order and prevention of crimes,'' which can 
include copyright and trademark infringement.
    Under the law, courts may issue orders for service or hosting 
providers to disable access to sites infringing the law. Law 5651 also 
established a central body of ISPs (Association of Access Providers), 
which is required to respond to courts' orders and may also receive 
notices of violation from the private sector. Industry reports suggest 
that having such a ``one-stop shop'' for submitting notices or 
directing orders has aided in growth in responsiveness by ISPs in the 
past year, including notices from copyrights holders. As a result the 
score for indicator 12 rises by 0.25. In addition, some sites, such as 
the The Pirate Bay, have been disabled under court order in the past.
    Nevertheless, the Association of Access Providers and the Internet 
Law more widely tend to be used more frequently for political-related 
site disabling. Copyright amendments introduced in 2016 and under 
discussion in 2017 would establish, among other elements, a new Center 
for Combating Digital Violations within the Ministry of Tourism and 
Culture. The new Center, if implemented, is intended to become a 
copyright-focused body for handling rights holder notices.
    Local Content Requirements and Technology Transfer: Turkey has had 
in place a regime that discriminates against foreign companies and 
products for over a decade, but in 2014, these types of barriers 
intensified and took on a nature that is likely to involve sharing of 
proprietary know-how and assets. Public Procurement Law No. 4734, 
introduced in 2002, provides up to a 15 percent price advantage to 
local goods in government tenders. The goods that qualify for such a 
preference have up until now been determined annually by the Ministry 
of Science, Industry and Technology. In 2014, the threshold for being 
considered a local product was raised considerably as part of 
Communique 2014/35, issued in September 2014. Specifically, in order to 
be considered a local product, at least 51 percent of the total cost of 
manufacturing must be derived from local materials or labor. In 
addition, substantive stages of the manufacturing process must take 
place locally. Requiring foreign companies to localize production in 
Turkey to this extent likely entails transfer of IP rights to domestic 
entities in some, if not many, cases.
Vietnam
    Data localization: IT infrastructure requirements which directly 
benefits local IT service providers exist in Vietnam. Decree 72/2013/
ND-CP on Management, Provision, and Use of Internet Services and 
Information Content Online stipulates that information service 
providers on mobile telecommunication networks, news or general 
information websites, game service providers, and social networks are 
required to locate one server system in Vietnam for the inspection, 
storage, and provision of information at the request of competent 
authorities, and settlement of customers' complaints. This regulation 
deters the affected companies from procuring other form of 
infrastructure related cross-border ICT services as it would incur 
additional cost for creating redundancies for their data offshore. 
While having a disaster recovery data centre has its merits, the 
additional cost for the service would deter companies with limited 
budget for IT such as SMEs.
    Local Content Requirements: Only Vietnamese organisations or 
individuals are allowed to provide IT services to state bodies. These 
rules not only limited the benefits of a geographically disbursed 
infrastructure, but also put foreign IT service providers seeking to 
offer services in Vietnam at a disadvantage.
    Cybersecurity: The Vietnamese government has released several 
drafts of a new cybersecurity law. Draft 15 of the Vietnamese Law on 
Cybersecurity contained a number of concerning provisions, including:

   Data localization and the localization of gateways

   Consent requirements in order to transfer personal data out 
        of Vietnam

   The regulation of a broad range of online content in the 
        absence of specific court orders. Such content includes very 
        broad definitions of offensive speech and expression. Moreover, 
        such content must be removed within a 24 hour period.

   Local representative office requirements

    The scope of areas and entities covered under the law is also 
unnecessarily broad, creating burdens on industry which are in many 
cases unnecessary, and which will likely overwhelm regulators that are 
charged with implementing the law. This approach will discourage or 
prevent foreign companies from operating in Vietnam, while doing 
nothing to increase the cybersecurity of operators of Critical 
Infrastructure.
    Digital Piracy and IP-related intermediary liability: Pervasive 
digital piracy has undermined the growth of legitimate creative content 
industries in Vietnam. The significant increase in content-providing 
sites has meant that piracy over streaming, P2P, and linking sites as 
well as cyberlockers and social networks has contributed to the 
persistently high piracy rate. For instance, according to Department of 
Film, today there are estimated 400+ local websites that provide access 
to tens of thousands of unlicensed films. A popular music website, 
Zing.vn, was recently listed on the USTR's List of Notorious Markets in 
relation to providing access to unlicensed music.
    Recognizing the scope of the piracy problem, the Vietnamese 
government issued a Joint Circular in 2012 which requires various ISPs 
(including social media networks) to issue warnings to infringing 
users. Although industry reports somewhat greater cooperation in 
takedown from ISPs in response to cease and desist letters from the 
Ministry of Information and Communication (MIC) and the Ministry of 
Culture (MCST), volume is still highly disproportionate to the scale of 
piracy, especially in relation to commercial-scale infringing sites.
                                 ______
                                 
                                U.S.-India Business Council
                                                        May 3, 2018

Ms. Nanda Dave,
Reserve Bank of India,
Mumbai, India.

Re: Reserve Bank of India (RBI) Notification on Mandatory Localization 
            of Payment System Data in India

Dear Ms. Dave:

    USIBC commends the Government of India's for its continued 
commitment to a less-cash, digital payments driven ecosystem in India. 
USIBC members are wholly committed to be partner in achieving the goals 
and vision of Less cash and Financial inclusion agenda. It is in this 
spirit that we bring concerns with the new requirement for mandatory 
localization of payment system data to your attention.
    On April 6, 2018, the Reserve Bank of India published The 
Notification on Storage of Payment System Data (Localization 
Requirement) mandating payment system operators (POSs) to store payment 
system data only in India. The Localization Requirement was issued 
without any consultation with industry stakeholders even as it 
represents a significant and fundamental shift in the regulatory 
architecture for digital payment systems in India. The provisions are 
very broad and in key areas subject to interpretation and ambiguity. 
USIBC and its members assume the regulatory intent to be driven by data 
access, cybersecurity, privacy and fraud prevention concerns. While 
important and necessary goals, the localization requirement may not be 
the best mechanism by which to achieve these objectives and may in fact 
undermine the ability of industry stakeholders to detect, prevent, and 
mitigate global financial crime, frauds and breaches thereby increasing 
the cyber vulnerability in the system and in particular for India as a 
country.
    The implementation of a mandatory localization requirement in India 
may also run counter to anti-money laundering requirements in the 
international jurisdictions create conflicts of both within and outside 
where India is not aligned with international best practices.
    USIBC members remain respectful of RBI's concerns of Indian users' 
payment data and need for unfettered supervisory access. At the same 
time, the payment storage ``only in India'' has fundamental negative 
impact Global Payment operators operating and business model. The 
Directive significantly impacts the ability of global payment platforms 
to combat global financial crime and fraud for Indian users.
    The mandate places severe constraints on global industry's ability 
to bring the latest innovations and technologies to Indian users and 
support the Indian Government's and RBI's less-cash vision.
    USIBC respectfully requests a reversal or an indefinite stay on the 
implementation of the Localization Requirement and welcomes an 
opportunity to collaborate with the Government of India and RBI on 
identifying the best path forward to address the regulatory concerns.
    The detailed discussion on the potential negative implications of 
the data storage ``only in India'' requirement and the Localization 
Requirment in general are set out below in Section I. This is followed 
by recommended areas for clarification in Section II.
Implications of the Requirement for Mandatory Localization of Payment 
        System Data
1. Ease of Doing business in India for multinational companies
    The Localization Requirement comes precisely at a time when India 
continues to refine policies towards further improvement in its ranking 
on relevant global indices. This effort was reflected in India's jump 
of 30 places in the World Bank's Indices, the highest of any country in 
such a short period of time.
    The Localization Requirement could potentially undermine the 
otherwise positive global perception of India as attractive destination 
for foreign direct investment. One of the foundations of ease of doing 
business is regulatory certainty which provides investors and USIBC 
members with confidence to base their future expansion and invest 
plans. The current move would undermine this confidence.
    The Ease of Business concept encapsulates not only the process by 
which new regulation is generated, but also the substance of the 
provisions and the nuanced balance between cost and benefit they 
ultimately create. The Localization Requirement would significantly 
raise costs for both companies and Indian users and consumers, and 
potentially introduce new risks in the payments ecosystem. Meanwhile, 
the regulatory benefits remain unclear and/or outweighed by these costs 
and inefficiencies.
2. Unintended Negative Impact on Cybersecurity and Reducing Risk--
        Disaster Recovery and Mitigation Plans
    As India moves towards its digital payments vision, policymakers 
have rightly focused on the need for cybersecurity and minimizing 
digital risk within their markets. All market participants, whether 
they are consumers or payment system operators, benefit from a strong 
cybersecurity regime. A large-scale breach in India would severely 
affect Indian users' confidence in the payments system and would raise 
reputational issues for the India as global power. The mandate forces 
all payment data to be stored only on soil which significantly raises 
the risk of India a single destination and visible target for cyber-
attacks on Indian payments data.
    Global experience demonstrates that localization requirements can 
unintentionally have the opposite impact. They introduce cyber 
vulnerabilities into otherwise secure global networks, put transaction 
data at risk, reduce efficiencies, and increase the risk of cyber-
attacks. Localization mandates can also impact global payments 
companies' abilities to detect, mitigate, and prevent security breaches 
and provide best-in-class disaster recovery and business continuity 
plans.
    Furthermore, alternative solutions may be available to achieve 
these same regulatory objectives. For example, the stated intent of 
unfettered supervisory access could also be achieved without the 
mandate of ``only in India''. Having a mirror image post processing 
copy of the data in near real time might potentially satisfy the 
``objective of unfettered supervisory access''; however, depending on 
the parameters defining scope of data and ``unfettered access'', a 
post-processing copy can also create added vulnerabilities, risk, and 
commensurate additional resources for housing, security and access. 
USIBC stakeholders are best placed to identify these solutions and can 
work with policymakers to ensure they satisfy regulatory oversight 
goals.
3. India stands to gain from an Open Cross-Border data flow regime and 
        localization is a race to the bottom
    India has been one of the biggest beneficiaries of open cross-
border data flows. The world-class Indian IT/ITES industry provides 
services and data analytics as well as BPO/KPO hub services to over 80-
90 countries. India can continue to be a global leader by fostering 
free cross-border flow of data and enterprise services.
    India's open market and open society approach has created one of 
the most vibrant and competitive payments ecosystems globally. Both 
Indian and international companies play a role in supporting RBI's 
less-cash vision. Currently there no mandates in major economies that 
restrict Indian fintech or payment companies from providing their 
services from India to users in these countries.
    Global experience shows that when one nation proposes data 
localization that impacts foreign firms, other countries tend to 
respond with similar requirements. Any such counter responses in the 
current situation could severely hamper the Indian IT/ITES industry and 
serve as a chilling effect on interests globally. Retaliatory 
regulation raises costs across the digital payments ecosystem, limits 
choice and competition. Futher, given that such regulations often don't 
contain ``sunset'' provisions, the market distortions they create have 
a long-term impact on the economy.
    USIBC members do not see asymmetric arrangements in the storage and 
processing of data as sustainable on a long-term basis, particularly 
with respect to the Prime Minister's goals of fostering growth of the 
digital payments economy as a key component of international trade. 
USIBC also notes that the responsible development of a digital economy, 
and India's fullest participation in it involves recognizing the 
importance of a properly managed cross-border data flows bolstered by 
clear norms around privacy and data protection.
4. Stakeholders not Consulted in the Regulatory Development Process
    The Localization Requirement took USIBC and its members by surprise 
given the scope and breadth of the provisions and the lack of 
consultation with stakeholders. A localization mandate of this nature 
fundamentally changes the regulatory architecture within a jurisdiction 
and raises complex issues for the payment system operators required to 
comply with its provisions. Stakeholder consultation is critical to 
articulating the costs of such a requirement on business operations, 
understanding the changes to the cyber threat landscape it may bring, 
and evaluating the industry's continued ability to effectively identify 
and prevent breaches. This assessment would help answer the question of 
whether the proposed requirement does in fact deliver the intended 
benefits regulators seek. USIBC respectfully recommends that the 
Government of India and RBI undertake such a consultation to understand 
these costs and benefits before moving forward with implementation of 
the Localization Requirement.
5. Need for Clarification on the Scope of the Localization Requirement
    The Localization Requirement is very broadly written and creates 
ambiguities about the type of data that must be stored and the ways in 
must it be kept in India vis-a-vis other jurisdictions. In addition, 
the requirement provides an exemption for the ``foreign leg'' or cross-
border segments of a transaction, but does not define the term and it 
remains subject to interpretation. This in turn raises concerns as to 
compliance with other international anti-money laundering requirements 
foreign operators may be subject to in the other jurisdictions in which 
they do business. Clarification on these and other related issues will 
help USIBC and its members more fully assess the true implications of 
the new requirement.
6. Coordination with International Laws and other Data Regimes
    International payment companies have global operations and are 
required to meet regulatory reporting and supervision requirements in 
multiple jurisdictions. In its current form, the Localization 
Requirement may restrict the ability of international payment companies 
to meet their legal obligations in other countries of operation and may 
be in conflict with applicable foreign laws and local laws like the 
India Information technology act which allows data to be processed and 
stored overseas with appropriate safeguards. As India considers a data 
privacy framework, the Localization requirement should be developed 
within the broader context of data privacy and protection, as opposed 
to a separate, potentially conflicting stand-alone requirement. The 
RBI's recent Inter Regulatory report on Fintech stressed the need for 
national DPR and privacy law to enable the growth of Fintech ecosystem.
    Data Protection Regimes in other jurisdictions may be helpful 
reference points and provide `lessons learned' that Indian policymakers 
can leverage as they deepen consumer protection in India. For example, 
the `India only' requirement in the provisions effectively puts India 
in a position of having the most stringent form of data localization 
measures. Jurisdictions that have implemented localization requirements 
have done so in a more nuanced form that contemplates the flow of 
cross-border data and their experiences are important to consider. In 
addition, the European Union's General Data Protection Regulation 
(GDPR) and the APEC Cross-Border Privacy Rules (APEC CBPR) may provide 
guidance on the data protection framework most appropriate for India. 
Additional information is provided in Annexure 1 to this letter.
7. Accelerating India's Digital Payments Agenda
    As India works to achieve its new target of 30 billion digital 
transactions by 2019, the ability of global payments companies to 
contribute to that goal will be more important than ever. The new 
requirements could undermine global participants' ability to deliver 
cutting-edge innovation in products and services, increasingly 
sophisticated risk, security and fraud management applications that are 
supported by analysis from complex global data sets, and collaboration 
models that propel Indian payments solutions to reach global scale.
    By its very nature, a digital economy is one that does not require 
physical presence for its processes to operate most efficiently. 
Further, the added cost of implementing and maintaining localization is 
in direct contrast to India's stated objectives to reduce the cost of 
transactions in order to maximize direct benefit to the economy.
    In 2014, the European Centre for International Political Economy 
examined the overall impact of localization measures in seven 
countries--Brazil, China, the European Union, India, Indonesia, Korea, 
and Vietnam--and found negative impacts on GDP and foreign investment. 
They found that economy-wide data localization laws drain between 0.7 
percent and 1.1 percent of GDP from the economy and that any gains are 
too small to outweigh losses in terms of welfare and output in the 
general economy.\1\ The impact of the Localization Requirement on 
broader fintech services in India must be carefully considered.
---------------------------------------------------------------------------
    \1\ http://www.ecipe.org/app/uploads/2014/12/OCC32014 1.pdf
---------------------------------------------------------------------------
1. Request and Clarification
  1.  Removal of the word `only' in Clause 2--Request RBI to allow 
        industry to implement appropriate methods to meet RBI's stated 
        objective of unfettered access and exercise supervisory control 
        of Payments data

  2.  Allowing both legs of the transaction to be retained overseas. A 
        plain reading of Clause (2i) of the Localization Requirement 
        suggests that one leg (i.e overseas leg of the transaction) 
        will be allowed to be retained overseas. For the purposes of 
        regulatory reporting, both legs of the transactions will be 
        required. Given the above, the Localization Requirement should 
        clarify that for transactions involving a foreign leg, all 
        transactions can be retained in foreign country.

  3.  Given that India is only a Receive-only Country, storage of 
        Senders' data on systems in India should be excluded. For 
        international remittances, India is a Receive country only. To 
        require the entire data of the transaction, including 
        information on Senders (which may include Sensitive 
        Information) may create difficulties for operators. In 
        addition, there may be some type of data storage requirement by 
        the Senders' countries.

  4.  The duration in relation to length of time such data needs to be 
        stored in India should be specified. Without any `sunset' 
        provisions, the Localization Requirement may create substantial 
        costs for companies and increase risk of market distortions for 
        digital payment operators in India.

  5.  Removal of any prohibition or requirements in relation to 
        transferring such data out of India. Given that the transfer 
        would be part of a contract between a company and the consumer, 
        there should not be any restriction on transferring of data, 
        notwithstanding data storage requirement.

  6.  Confirmation of the entities who must comply with the 
        requirements. A plain reading of the text suggests that 
        compliance with the circular is required by the licensed 
        entities to whom the circular is addressed (LE). The LE is 
        required to ensure compliance by service providers, 
        intermediaries third party vendors and other entities who 
        provide services directly to the LE in connection with 
        operating of the payment system. We request RBI to confirm this 
        position.

  7.  Confirmation of the scope of the Localization Requirement on 
        authorized dealers and the Foreign Exchange Department. A plain 
        reading of the text suggests that the activities carried out by 
        authorized dealers and instructions issued by Foreign Exchange 
        Department will not be governed by this circular. We request 
        RBI to confirm this position.
The Path Forward
    USIBC and its members seek to work collaboratively with the 
Government of India to achieve its vision for Digital Payments in India 
and fully support the need for cybersecurity and fraud prevention 
within the regulatory architecture. The significant changes implicated 
by the Localization Requirement necessitate a reversal or an indefinite 
stay on the provision to give the industry and policymakers an 
opportunity to work together to find solutions that achieve the 
intended regulatory intent and achieve the Government's vision for a 
Digital India. To that end, we respectfully request an opportunity to 
bring a delegation to discuss more fully the concerns outlined above 
and provide any additional information that may be helpful in your 
deliberations.
    I look forward to continuing our dialogue on the issue and my staff 
will follow up with your office. Please do not hesitate to direct any 
questions to Nileema Pargaonker, Head of Financial Services, 
[email protected] or Rohan Sirkar, Sr. Director, [email protected].
            Sincerely,
                                              Nisha Biswal,
                                                         President,
                                            U.S.-India Business Council
                                               U.S. Chamber of Commerce
                                 ______
                                 
                               Annexure 1

          Summary view of Data Localization in other countries
------------------------------------------------------------------------
                                     Payments Data  localization mandate
              Country                       ``only'' in the Country
------------------------------------------------------------------------
European Union                       No
------------------------------------------------------------------------
Russia                               No
------------------------------------------------------------------------
Indonesia                            No
------------------------------------------------------------------------
Canada                               No
------------------------------------------------------------------------
USA                                  No
------------------------------------------------------------------------
Hong Kong                            No
------------------------------------------------------------------------
Singapore                            No
------------------------------------------------------------------------
Australia                            No
------------------------------------------------------------------------
Japan                                No
------------------------------------------------------------------------
India                                Yes
------------------------------------------------------------------------

Data Protection Regimes
    The European Union General Data Protection Regulation (GDPR) 
Europe's General Data Protection Regulation (GDPR) does not have any 
data localization requirements. Under the European model, companies 
have flexibility with respect to the legal mechanism they use for data 
transfers. For example, under GDPR, companies have multiple options, 
including Standard Model Clauses, Country Adequacy, Binding Corporate 
Rules, and Privacy Shield.
The APEC Cross-Border Privacy Rules (APEC CBPR)
    The APEC CBPR was endorsed in 2011 and is a voluntary principles-
based privacy code of conduct for data controllers in participating 
APEC member economies, relating only to cross-border data flows.

   Organizations within participating economies seeking 
        certification under the APEC CBPR must have their data 
        protection practices and procedures assessed as compliant with 
        the program requirements.

   The APEC CBPR seeks to ensure compliance with normative 
        principles in order to ensure data is securely stewarded and 
        therefore preventing the need to require the on-shoring of data 
        for security concerns.
Other Major Data Protection Regimes in Asia
    Other data protection laws in major financial, processing and data 
analytics hubs that compete with India (e.g., Japan, Australia, Hong 
Kong, Singapore and the Philippines) provide for a range of legal 
mechanisms for companies to rely on for their cross-border data 
transfers. These include: accountability, ensuring that the recipient 
country has similar laws which protect the data, binding corporate 
rules, contractual clauses, and consent. These countries notably do not 
have data localization requirements for transaction data.
Other Data Regimes
    Some countries (e.g., Indonesia, Russia and China) have data 
regimes that contain certain requirements as to local storage and some 
related restrictions. However, these requirements are more nuanced than 
headlines would suggest. For example:

   Indonesia has on-soil data centre and onshore processing 
        requirements. However, these do not prohibit the transfer of 
        transaction data outside of Indonesia.

   Russia's Data Protection Law, while requiring a primary 
        database of the data to be onshore, does not prohibit the 
        transfer of transaction data or secondary copies of the data 
        off-shore and is limited to personal data.

   China's Cybersecurity Law, which requires the onshore 
        processing of personal data and important data by critical 
        infrastructure operators, envisages the possibility of cross-
        border transfers of such data when this is necessary for 
        business requirements and where this is subject to a security 
        assessment.
                                 ______
                                 
     Response to Written Questions Submitted by Hon. Jon Tester to 
                          Roslyn Layton, Ph.D.
    Question 1. Many members of the panel mentioned the United States 
needs to step up our level of engagement and join other like-minded 
countries. In your opinion, which countries closest align with our 
values on Internet freedom, privacy, and Internet of Things?
    Answer. There are many countries which align with the U.S. on 
freedom, privacy, and the digital economy. Probably the closest ally is 
the United Kingdom, which not only enjoys close cultural and legal 
affinity the US, but also deep economic ties with our in digital 
economy.\15\ Importantly, the UK is less burdened by misguided EU 
policies such as the GDPR, forced erasure, and other EU Internet 
regulations.
---------------------------------------------------------------------------
    \15\ http://www.aei.org/publication/brexit-bring-uk-ever-closer-us-
digital-trade/
---------------------------------------------------------------------------
    While U.S.-EU relations may be strained at times, there is more in 
common between the U.S. and EU than not. In any case, in the last two 
years, significant goodwill has been advanced on the bilateral level in 
some European countries including Denmark and Poland, a credit to the 
indefatigable diplomatic and ambassador corps and officials from the 
Department of Commerce and State. Despite of the Senate's glacial pace 
of confirmations, acting and confirmed ambassadors to the EU have 
worked tirelessly and have realized success. For example, Denmark is 
the world's leading digital nation and desires to grow and strengthen 
relationships with the U.S.\16\ Poland is a relatively large European 
country (38 million) which has strong cultural and security ties to the 
U.S. It has a many highly skilled workers and a significant industrial, 
manufacturing base for high tech products. If a dialogue is strained 
directly with the European Commission, the U.S. can work directly with 
each European nation, and those nations can push the rational policy 
forward in Brussels.
---------------------------------------------------------------------------
    \16\ https://www.mercatus.org/publications/broadband-policy-
deregulation-denmark
---------------------------------------------------------------------------
    While Japan and the South Korea may have adopted some misguided 
policies on data transfer, the countries are security and trade allies 
with the US. It is important that the U.S. maintain these relationships 
and their exports are not lumped into the category of Chinese 
technology. It should be explored how to lessen the data transfer 
burdens considering the increasingly important role the U.S. plays for 
military, security, and economic reasons.
    More generally, the U.S. has allies in the many Asian nations which 
are weary of Chinese influence. The U.S. should try to strengthen these 
relationships. There is an important and valuable dialogue in the APEC 
Privacy Framework.\17\ This framework is a proven and preferable 
substitute for the GDPR. The U.S. should be more aggressive to 
challenge the EU on the GDPR, particularly considering the significant 
trade between the U.S. and EU in physical goods.
---------------------------------------------------------------------------
    \17\ https://cbprs.blob.core.windows.net/files/
2015%20APEC%20Privacy%20Framework.pdf
---------------------------------------------------------------------------
    In the Americas, the U.S. has a significant digital trade with 
Mexico and goodwill having concluded a trade agreement. Such progress 
is still possible with Canada, a relationship in which the two 
countries have significant next generation broadband networks, digital 
trade and exchange of technology workers.\18\ Colombia desires to the 
information technology hub of South America, having just been invited 
to the join the OECD. The turnaround of the country from a failed state 
to a modern digital economy today is almost miraculous, and it 
represents a policy success for the U.S. and the result of a long-term, 
bi-partisan commitment established in the Clinton Administration.
---------------------------------------------------------------------------
    \18\ http://www.aei.org/publication/claims-that-wireless-service-
is-too-expensive-dont-hold-up/
---------------------------------------------------------------------------
    Another important ally is Israel which has a significant economy in 
digital innovation.

    Question 2. What forum (e.g., the United Nations, NATO, etc.) do 
you recommend for facilitating an international discussion on rules and 
definitions?
    Answer. If Congress does only one thing, it should be to restore 
the bipartisan consensus which has made the Internet a success in the 
spirit of the 1996 Telecommunications Act. I applaud the committee and 
the Senators on both sides of the aisle which have made an effort to 
understand and address these issues. That both parties can have a 
constructive dialogue on the issue of international Internet policy 
will go a long way to set the tone for the many Federal agencies and 
representative bodies in which the U.S. participates.
    More broadly, the multistakeholder model (MSM) is not perfect, but 
it still affords the best model of Internet governance. The MSM is not 
a democratic body as such, but if the U.S. Government and American 
stakeholders play a leadership role within the MSM--displaying a 
faithful and authentic representation of American democratic values--
the MSM can be source for good and can help the U.S. regain its 
leadership position in international Internet policy to amplify the 
policy Congress defined for the Internet.
    The U.S. won't have any credibility if its international Internet 
policy is just about American companies making money. The U.S. must 
also export a value system that legitimately empowers and rewards other 
nations to participate in a free market Internet economy, respect the 
rule of law and individual rights, limit regulatory distortion and 
abuse, protect property, and deliver measurable improvements in quality 
of life. This also includes measures to protect the vulnerable, notably 
children.

    Question 3. Before the United States can lead the charge 
international, we must unify our own ``rules of the road.'' Does such a 
forum currently exist, to your knowledge? How has private industry in 
the U.S. tried to tackle how we define the rules of the road when it 
comes to Internet security and governance? Which U.S. governmental 
agency would you recommend take the lead and represent the United 
States in international discussions?
    Answer. The U.S. needs to reinvigorate the concept of ``Team USA'' 
when it comes to international Internet policy. I restate my comments 
to NTIA here.\19\
---------------------------------------------------------------------------
    \19\ https://www.ntia.doc.gov/files/ntia/publications/
ntia_iip_roslyn_layton_aei_final.pdf
---------------------------------------------------------------------------
    The Internet makes the world more transparent and speeds 
information. Increasingly America's companies are global, employ a 
greater number of Americans, and account for a larger part of the U.S. 
economy. While domestic policy is governed by a set of national rules 
and institution, the conduct of international commerce and enterprise 
requires a harmonization of international rules and norms. Harmonizing 
international institutions with Constitutional concepts of rule of law 
and individual rights offers the most fair, rational, and humane regime 
for Internet policy. To the maximum degree possible, the diverse set of 
American stakeholders should conduct this international dialogue and 
negotiation with a spirt of playing for the same team, Team USA.
    The Olympics offers an ideal vision for a global multistakeholder 
model (MSM). While the Nation is a team, its athletes compete in 
different events. Athletes are professional, sportsmanlike, and top-
performing. They play by the transparent and agreed rules and win 
because of their skills, strategy, and passion on the field, not 
because of a deal with the judges. Athletes respect their opponents and 
share the camaraderie of experience. American stakeholders and 
enterprises are as diverse as America's Olympic athletes and the sports 
in which they compete, but they should all play for the same team, Team 
USA.
    When American companies do business abroad--whether they are 
hardware, software, content, or telecom--they want a rational, 
predictable, and consistent framework across the board. Such a 
framework allows the firm to minimize costs, maximizes profit, and 
ensure efficiency. To ensure the ideal framework abroad, companies 
should advocate for the ideal framework at home. Therefore, the policy 
should be a consistent set of rules for all players, grounded in 
modern, evidenced-based standards of antitrust, and delivered by the 
Federal Trade Commission.\20\
---------------------------------------------------------------------------
    \20\ Bennett, Richard and Eisenach, Jeffrey A. and Glassman, James 
K. and Howell, Bronwyn E. and Hurwitz, Justin (Gus) and Layton, Roslyn 
and Bret Swanson, Comments on Communications Act Modernization (January 
31, 2014). Available at SSRN: https://ssrn.com/abstract
=2388723
---------------------------------------------------------------------------
    Cronyism, the unhealthy closeness between government and special 
interests, is a process to win government-granted privileges and 
favoritism.\21\ It upends the notion of public interest, that 
policymakers serve the broad social goals. Instead it demonstrates that 
government actors frequently reward private actors at the expense of 
the public. Over the long term, cronyism undermines the legitimacy of 
private sector and government. It also creates moral hazard, the 
situation in which an actor increases its exposure to risk because 
another party bears the cost of the risk. Taxpayers are too often left 
holding the bag. They revolt in elections.
---------------------------------------------------------------------------
    \21\ Adam Thierer and Brent Skorup, ``A History of Cronyism and 
Capture in the Information Technology Sector | Mercatus Center,'' 
Journal of Technology Law & Policy, July 2013, https://
www.mercatus.org/publication/history-cronyism-and-capture-information-
technology-sector.
---------------------------------------------------------------------------
    For example, leading Silicon Valley firms have waged a campaign to 
impose Internet regulation on the telecom industry to avoid 
interconnection fees and preclude the development of competitive 
business models for content and advertising.\22\ While it may a 
rational strategy for Silicon Valley, it is wrong and unfair to employ 
political means to secure price controls which undermine the efficient 
functioning of Internet markets. This has been harmful in the U.S. as 
well as abroad.
---------------------------------------------------------------------------
    \22\ ``Net Neutrality,'' Internet Association, accessed July 19, 
2018, https://internetasso
ciation.org/positions/net-neutrality/.
---------------------------------------------------------------------------
    The imposition of price controls denies infrastructure providers 
revenue to build networks (and tax revenue for governments), undermines 
the emergence of business models which could support local content 
development for socially beneficial goods (particularly in developing 
countries), and unduly burdens consumers with the full cost of 
networks, a cost that falls disproportionately on the poor. Moreover, 
the exercise distracts scarce policymaking resources away from real 
problems, which are empirically demonstrated to be the malign acts of 
governments to censor people, services, and data.\23\
---------------------------------------------------------------------------
    \23\ Freedom House. Freedom on the Net 2017. https://
freedomhouse.org/report/freedom-net/freedom-net-2017
---------------------------------------------------------------------------
    Indeed, many Internet related firms and industries have taken 
advantage of the regulatory process to win favorable treatment for 
themselves at the expense of their competitors and consumers. They now 
reap what they have sown in a global ``techlash.'' \24\ Foreign 
counterparts have learned from the rent-seeking behavior of Americans 
firms, and it has boomeranged. Now foreign governments find ways to 
regulate American firms to reward their domestic players.\25\
---------------------------------------------------------------------------
    \24\ ``The Techlash against Amazon, Facebook and Google--and What 
They Can Do,'' The Economist, January 20, 2018, https://
www.economist.com/briefing/2018/01/20/the-techlash-against-amazon-
facebook-and-google-and-what-they-can-do.
    \25\ Roslyn Layton, ``Net Neutrality Will Be Reincarnated as 
Platform Regulation,'' AEI, December 20, 2017, http://www.aei.org/
publication/net-neutrality-will-be-reincarnated-as-platform-
regulation/.
---------------------------------------------------------------------------
    While the freedom of speech restricts governments ability to censor 
and regulate content, it ensures individual sovereignty to do so. As 
such, private networks, platforms, and individual users have the 
freedom to control the content they deliver and consume. The best way 
to address perceived bias on informational platforms is to create 
alternatives. Rather than platform regulation, government should 
support the market forces that will support competition.\26\ Misguided 
FCC Internet and privacy regulation has deterred innovation in 
advertising platforms, solidifying a monoculture of business 
models.\27\ Moreover price controls disguised as regulation for non-
discrimination have deterred the evolution of a free market for data, 
forcing consumers to pay the full cost of broadband and denying them 
alternatives to lower cost. Internet penetration is at 76 percent in 
the U.S. The only way to close the gap is to allow flexible pricing and 
the freedom of different actors to create value propositions for 
consumers. I have conducted detailed assessments of the harm to the 
poor by regulatory prejudice and restriction on the flexible pricing of 
data. The most notable example is India's total ban of differential 
pricing which keeps 2 of every 3 people offline.\28\ See a list of 
relevant papers below.\29\
---------------------------------------------------------------------------
    \26\ Roslyn Layton, ``Net Neutrality Will Be Reincarnated as 
Platform Regulation,'' AEI, December 20, 2017, http://www.aei.org/
publication/net-neutrality-will-be-reincarnated-as-platform-
regulation/.
    \27\ Roslyn Layton, ``FCC Privacy Regulation Will Limit Competition 
in a Market That Really Needs It: Online Advertising,'' AEI, March 11, 
2016, http://www.aei.org/publication/fcc-privacy-regulation-will-limit-
competition-market-really-needs-online-advertising/.
    \28\ Roslyn Layton, ``Why Does California Want to Adopt India's 
Failed Internet Regulation?,'' AEI, July 16, 2018, http://www.aei.org/
publication/why-does-california-want-to-adopt-indias-failed-internet-
regulation/.
    \29\ Layton, Roslyn and Elaluf-Calderwood, Silvia, Zero Rating: Do 
Hard Rules Protect or Harm Consumers and Competition? Evidence from 
Chile, Netherlands and Slovenia (August 15, 2015). Available at SSRN: 
https://ssrn.com/abstract=2587542.
    Layton, Roslyn and Elaluf-Calderwood, Silvia, Free Basics Research 
Paper: Zero Rating, Free Data, and Use Cases in mhealth, Local Content 
and Service Development, and ICT4D Policymaking (September 27, 2016). 
TPRC 44: The 44th Research Conference on Communication, Information and 
Internet Policy 2016. Available at SSRN: https://ssrn.com/
abstract=2757384
    Howell, Bronwyn E. and Layton, Roslyn, Evaluating the Consequences 
of Zero-Rating: Guidance for Regulators and Adjudicators (August 2016). 
TPRC 44: The 44th Research Conference on Communication, Information and 
Internet Policy 2016. Available at SSRN: https://ssrn.com/
abstract=2757391.
    These papers have been referenced by the European Commission in 
their definitive study of zero rating. ``Zero-Rating Practices in 
Broadband Markets'' (EU, February 2017), http://ec.europa.eu/
competition/publications/reports/kd0217687enn.pdf.
---------------------------------------------------------------------------
    However, if the U.S. can clean up its own cronyism, American 
stakeholders will have an easier time to shut it down when facing it 
abroad. Sowing the seeds of free market and Constitutional principles 
will bear delicious fruit. Voters and policymakers recognize that 
modernizing America's regulatory institutions will be the most 
important step to maximize the welfare of the American people, its 
innovators, and its economy. Removing the incentives for regulatory 
arbitrage forces firms to compete on the merits of their goods and 
services--serving their customers, not regulators. This approach is the 
most fair and rational.

    Question 4. Dr. Layton, you mentioned one aspect missing from the 
GDPR is education. What would educating the public look like and who is 
responsible for it? Federal Government? State and local?
    Answer. Thank you for your questions on education. The Federal 
Trade Commission has developed extensive and value educational 
materials on data privacy and protection.\30\ While many of these 
materials and concepts have been developed to protect children, these 
best practices are also applicable to adults. This learning should be 
broadened and leveraged for Americans of all ages and made available on 
the FTC website. It could be explored to make a no free, zero rated 
website, e.g., ww.privacy.gov, where any person can learn the skills to 
protect oneself online. The FTC can fulfill this task efficiently and 
avoid duplication at the state and local government level. The 
following further comments are taken from my submission to the Federal 
Trade Commission.\31\
---------------------------------------------------------------------------
    \30\ https://www.consumer.ftc.gov/topics/privacy-identity-online-
security
    \31\ http://www.aei.org/publication/statement-by-roslyn-layton-in-
the-matter-of-competition-and
-consumer-protection-in-the-21st-century-and-market-solutions-for-
online-privacy/
---------------------------------------------------------------------------
    The Role of Consumer Education in Promoting Online Privacy. 
Consumer education is tacit recognized as important, but it a 
fragmented field, frequently disconnected from policy. Canadian home 
economist and consumer studies educator Sue McGregor offers an 
authoritative academic review of the field of consumer education.\32\ 
She describes consumer education as a means of protecting consumers as 
economic actors and empowering them with the political, ethical, and 
moral aspects of consumption (behavior) and consumerism (ideology) and 
observes that the concept has been extant for 120 years. A variety of 
theories explain the need for consumer education. For example, the 
market does not provide enough education, so information needs to be 
stimulated. Another view is that consumers demand ``uncensored'' 
information about the market. Another view posits that education is the 
path to consumer activism, so information is promoted by interested 
parties. Others define consumer education as a conceptual innovation. A 
modern view of consumer education describes it as a function of 
decision-making, personal resource management, and citizen 
participation in the policy process.
---------------------------------------------------------------------------
    \32\ Sue L. T. McGregor, ``Framing Consumer Education Conceptual 
Innovations as Consumer Activism,'' International Journal of Consumer 
Studies, 2015, http://www.consultmcgregor.com/documents/research/
consumer_activism_published_ijcs.pdf.
---------------------------------------------------------------------------
    In recent decades the notion of consumer education has been likened 
to human right (1960s), a model of postindustrial economics, people no 
longer producing their own goods (1970s), the business paradigm of 
consumer as client (1980s), the public-private partnership for consumer 
education, indeed a concept promoted in the 1996 Pitofsky report \33\ 
(1990s), and in the 2000s, consumer education vis-a-vis globalization 
and the policy process. Most recently the field has incorporated 
complexity theory. Despite this evolution, consumer education remains a 
fragmented endeavor with certain areas getting significant attention, 
for example financial literacy and smoking cessation, while other 
important areas are not discussed. There is also the view of the 
politicization of consumer education, for example that centrally 
planned disclosure for nutrition information on food satisfies 
regulators' expectations but fails to be meaningfully adopted by 
consumers.\34\ This suggests that for consumer education to be 
meaningful it needs to bottom-up or at least be holistic.
---------------------------------------------------------------------------
    \33\ Federal Communication Commission, ``Anticipating the 21 
Century: Consumer Protection Policy in the New High-Tech, Global 
Marketplace'' May 1996, https://www.ftc.gov/system/files/documents/
reports/anticipating-21st-century-competition-policy-new-high-tech-
global-marketplace/gc_v2.pdf.
    \34\ S. Hieke and C. R. Taylor, ``A Critical Review of the 
Literature on Nutritional Labeling,'' Journal of Consumer Affairs 46, 
no. 1 (2012): 120-56.
---------------------------------------------------------------------------
    It is instructive to consider the robust, vibrant market for 
information and education in the consumer electronics field detailing 
the most minute and technical aspect of machines. For decades consumers 
have availed themselves to magazines, online discussions, rankings, 
reviews, how-to videos, conferences, and so on. There is no policymaker 
directing the discussion, but it grows by consumer demand.
    There is no reason why there could not be a similar field for the 
consumption of online services, which describes the contours of online 
privacy and how users could select different technologies to manage 
their privacy. The difference is that consumer electronics education is 
essentially funded by advertising, the many providers of phones, 
devices, appliances, and so on advertise in popular publications, host 
discussions, and so on. Online platforms do not advertise as such. A 
valuable policy research project could investigate how to stimulate a 
market for consumer education on privacy and some recommendations 
follow in this paper.
    In any event, without consumer education on privacy it is difficult 
to expect all consumers to fully understand what to consent when 
agreeing to typical terms of services. The disclosures could be 
simplified and updated in more consumer-centric language and format.
    Public Choice Explanation for the Lack of Consumer Education on 
Privacy. The academic discipline of public choice uses economics to 
investigate problems in political science. It could help explain why 
consumer education on privacy is lacking, aside from one possible 
explanation that consumers are not interested to learn about privacy 
and therefore do not demand such information. A public choice 
theorization would likely recognize that while the notion of consumer 
education has implicit valence, industry and regulators may have 
incentives to de-emphasize its role. Indeed, if consumers are empowered 
to make informed choices, they have less need of regulators' 
supervision. Similarly, consumers making informed choices also affects 
industry; it has a powerful effect to drive consumers from one firm to 
another.
    The European Union's GDPR is suspect in that among 173 provisions 
the role and importance of consumer education is never discussed. This 
is likely because the regulation is in part a make-work program for 
75,000 new privacy officers and the employees of 62 data protection 
authorities. The GDPR assumes that regulatory authorities have more 
information than consumers and firms and therefore know better how to 
order transactions in the marketplace.\35\ All the same, the GDPR 
imposes massive new responsibility on regulators without a concurrent 
increase in training or funding.\36\ EU data supervisors must wear many 
hats, including ``ombudsman, auditor, consultant, educator, policy 
adviser, negotiator, and enforcer.'' \37\ Furthermore, the GDPR widens 
the gap between the high expectations for data protection and the low 
level of skills possessed by data supervisors charged with its 
implementation.\38\ There are certainly many talented individuals among 
these ranks, but the mastery of information communication technologies 
varies considerably among these professionals, especially as each 
nation's data protection authority is constituted differently.
---------------------------------------------------------------------------
    \35\ See generally F. A. Hayek, ``Economics and Knowledge,'' 1937; 
and F.A. Hayek, ``The Use of Knowledge in Society,'' 1945.
    \36\ Douglas Busvine, Julia Firoretti, and Mathieu Rosemain, 
``European Regulators: We're Not Ready for New Privacy Law,'' Reuters, 
May 8, 2018, https://www.reuters.com/article/us-europe-privacy-
analysis/european-regulators-were-not-ready-for-new-privacy-law-
idUSKBN1I915X.
    \37\ Colin J. Bennett and Charles Raab, ``The Governance of 
Privacy: Policy Instruments in Global Perspective,'' 2006.
    \38\ Charles D. Raab and Ivan Szekely, ``Data Protection 
Authorities and Information Technology,'' Computer Law and Security 
Review (forthcoming), https://ssrn.com/abstract=2994898.
---------------------------------------------------------------------------
    Public choice theory also suggests that the EU data supervisors' 
preferences are not necessarily aligned with the ``public interest,'' 
or what is best for European welfare in the long run. Increasing user 
knowledge and the quality of data protection technology could 
legitimately make people better off, but it could also render 
regulators less important. While data supervisors will not necessarily 
reject policies that improve user knowledge and technology design, it 
is in their interest to promote inputs that increase their own 
resources and legitimacy in conducting compliance and adjudication.\39\
---------------------------------------------------------------------------
    \39\ Roslyn Layton, ``How the GDPR Compares to Best Practices for 
Privacy, Accountability, and Trust,'' March 31, 2018, 14, https://
papers.ssrn.com/sol3/papers.cfm?abstract_id=2944358.
---------------------------------------------------------------------------
    Many surveys demonstrate that many users fail to practice basic 
privacy-enhancing behaviors.\40\ This situation is ripe for improvement 
and represents a classic example of how consumer education can improve 
outcomes better, more quickly, and at a lower cost than regulation. 
Indeed, the first principle of consumer education in data protection, 
buyer beware, is the first principle for how citizens should protect 
themselves in cyberthreats in Michael Chertoff's new book on 
cybersecurity: ``Be mindful of what data you transmit and what you 
connect to your own network.'' \41\ He also recommends practicing cyber 
hygiene, taking advantage of layered cybersecurity technology, and 
outsmarting scams with a phone call. Consumers need to practice the 
same kind of vigilance and personal responsibility in cybersecurity as 
they do in the data protection domain. Outsourcing the job to 
bureaucrats will not cut it, as the user can be a vulnerability point. 
Consider warnings and labels on food and chemicals; while regulation 
can mandate that disclosures be made, if users do not recognize the 
meaning of expiration dates or consumption warnings, then the 
disclosure has little impact.
---------------------------------------------------------------------------
    \40\ Layton, ``How the GDPR Compares to Best Practices for Privacy, 
Accountability, and Trust.''
    \41\ Michael Chertoff, ``Exploding Data: Reclaiming Our Cyber 
Security in the Digital Age,'' Atlantic Monthly Press, 2018.
---------------------------------------------------------------------------
    As such, the GDPR rests on a fallacy that making consent more 
explicit makes consumers more informed. The GDPR requires enterprises 
to make consent ever more detailed, burdensome, and granular without 
increasing the user's holistic knowledge of the transaction. This 
creates an increasing chasm between consumer empowerment and 
bureaucratic control. It is like speaking more loudly to a person who 
speaks another language in the hope that she will better understand.
    When producers and consumers do not have perfect information, this 
discrepancy can give rise to inefficiency or abuse. Peer-to-peer 
platforms have resolved many of these problems of informational 
asymmetry through information sharing. Consider how the ability to 
evaluate drivers and riders is an essential part of ridesharing apps. 
Before Uber, neither the taxi company nor the regulator was interested 
to publish real-time information about the quality of drivers or cars, 
as it would like to impugn the failure of regulator. Ratings and peer 
reviews are essential in the digital economy. Indeed, some health 
regulators use Yelp ratings to help inform how they deploy their 
inspection resources.\42\
---------------------------------------------------------------------------
    \42\ Roslyn Layton, ``How Sharing Economy Regulatory Models Could 
Resolve the Need for Title II Net Neutrality,'' AEI, June 26, 2017, 
http://www.aei.org/publication/sharing-economy-regulatory-models-
resolve-need-title-ii-net-neutrality/; And Arun Sundararajan, The 
Sharing Economy: The End of Employment and the Rise of Crowd-Based 
Capitalism (MIT Press, 2016)
---------------------------------------------------------------------------
    Consumer education could be vital to demystify the ``black box'' of 
many Internet platforms, which for many consumers is a system in which 
they can observe the inputs and outputs but have little to no insight 
to its internal workings.
    Tapping the FTC's Consumer Education Resources. The FTC already has 
significant educational resources to help consumers protect themselves 
online in the privacy, identity and online security sections of its 
website.\43\ It would be worthwhile to see how this information could 
be shared, syndicated, and amplified, for example through social media 
by users themselves. Even if no further policy was enacted at all, 
people could read the FTC section on protecting kids online and learn 
many things about being more responsible and protecting one's privacy. 
Essentially, the very restraint that parents are to apply to children, 
they should apply to themselves.
---------------------------------------------------------------------------
    \43\ Federal Trade Commission, ``Privacy, Identity & Online 
Security,'' https://www.con
sumer.ftc.gov/topics/privacy-identity-online-security
---------------------------------------------------------------------------
    Moreover, there is nothing is to stop any privacy advocacy 
organization, philanthropic charity, school, trade association, or 
company from presenting a similar list or linking to the FTC's 
information. They do not have to ask permission; they do not need to 
wait for legislation. Information can be made available to consumers 
today.
    The section on limiting unwanted calls and e-mails is quite 
detailed noting privacy choices for your personal financial 
information; stopping unsolicited mail, phone calls, and e-mail; 
blocking unwanted calls; robocalls; they do not call registry; phone 
scams, telemarketing rules; and reducing spam on e-mail and SMS. These 
include common sense tips such as using e-mail filters, limiting 
exposure of one's e-mail address, changing privacy settings, choosing 
unique e-mail address, detecting and removing malware, and reporting 
spam.
    The section on protecting kids online delves into cyberbullying, 
how parents can talk with kids, and basic security such as peer-to-peer 
file sharing, phishing, and downloading apps. Indeed, these pointers 
could easily be extended to adults. Some of these settings could be 
defaults for first-time adult users until they become more familiar. 
There are privacy-enhanced devices apps for children, so there is no 
reason why they cannot be designed for adults. Features include 
programmable limitation on services, emergency buttons, time management 
controls, filtering software applied to ensure that users do not share 
personal information or content. Just as parents develop rules for 
their kids, they should live by their own rules, limiting their use at 
family times, in the evening, etc. But they can also be more diligent 
about their behavior. Adults should be cautious in what they post, 
whether text, picture, or video. They should use ``good judgment.''
    The OECD's International Cooperation on Consumer Education for 
Online Privacy. More than a decade ago various private and public 
organizations have outlined the role of consumer education in online 
privacy, but this thinking and educational assets have not been 
meaningfully incorporated into policy. Notably, the Organisation for 
Economic Co-operation and Development (OECD) published a study on 
Consumer Education for Digital Competence.\44\ Key learning points 
include:
---------------------------------------------------------------------------
    \44\ Organisation for Economic Co-operation and Development, 
``Consumer Education Policy Recommendations of the OECD'S Committee on 
Consumer Policy,'' 2009, http://www.oecd.org/sti/consumer/44110333.pdf.

   Linking the concept of digital competence with critical 
---------------------------------------------------------------------------
        thinking on technology and the media,

   Educating to provide a basis for developing an understanding 
        of the structures and conceptual relationships understanding 
        digital media (e.g., functioning of online market, e-commerce 
        marketing techniques, and user tools),

   Learning the how and why of protecting personal information 
        when using digital media,

   Using media to promote the education of digital competence 
        in compelling ways (e.g., games, videos, blogs, and virtual 
        worlds),

   Age-appropriate education,

   Implementing teacher training, and

   Strengthening multi-stakeholder cooperation to create 
        educational partnerships.

    The OECD also published a book to describe prevailing consumer 
education practices across the member nations, including the 
institutional frameworks and policy evaluation tools.\45\
---------------------------------------------------------------------------
    \45\ Organisation for Economic Co-operation and Development, 
``Promoting Consumer Education: Trends, Policies and Good Practices--
OECD,'' March 2009, http://www.oecd.org/sti/consumer/
promotingconsumereducationtrendspoliciesandgoodpractices.htm#howto.
---------------------------------------------------------------------------
    Institute for Privacy Protection at Seton Hall University. Gaia 
Bernstein, director of the Institute for Privacy Protection and 
codirector of the Gibbons Institute of Law Science and Technology at 
Seton Hall University observes, ``We can take action to regain control 
of our time, attention and social interactions.'' \46\ The center 
offers training for teachers and other leaders about how to empower 
users to manage their privacy. The core curriculum is based on the 
concept of explaining the concept of privacy, digital footprints and 
reputation, ads and content choice, and online versus offline 
balance.\47\
---------------------------------------------------------------------------
    \46\ Gaia Bernstein, ``About the Over-Users,'' accessed August 20, 
2018, http://gaiabern
stein.com/.
    \47\ Seton Hall, ``Institute for Privacy Protection's School 
Outreach Program,'' https://law.shu
.edu/about/news.cfm?customel_datapageid_6255=537438.
---------------------------------------------------------------------------
    Teaching Privacy Curriculum. For example, in the US, the ``Teaching 
Privacy Curriculum'' by Serge Egelman et al., offers interactive 
instruction on 10 principles of online privacy over three weeks in a 
university setting, a method that has also proved effective to educate 
and empower users to manage their privacy.\48\
---------------------------------------------------------------------------
    \48\ Serge Egelman et al., ``The Teaching Privacy Curriculum,'' 
2016, 591-96.
---------------------------------------------------------------------------
                                 ______
                                 
   Response to Written Questions Submitted by Hon. Maggie Hassan to 
                            Denise E. Zheng
    Question 1. We have heard a lot about Europe's new data privacy 
protections, known as the GDPR. I would like to understand better what 
their actual impact has been in the United States, and how much 
companies are differentiating their practices for European consumers 
vs. American consumers.
    For example, during his testimony in the spring, Mark Zuckerberg 
promised that Facebook would apply the same standards to users in 
Europe and America. But it now appears that Facebook is requiring 
consent from European users for some of its policy changes while merely 
notifying American users--and may be treating users in other places 
like Asia differently altogether.
    From your perspective working with companies, are they now handling 
European users differently than American users, or are companies 
applying the same standards and practices worldwide? Why should we seek 
to harmonize our laws across countries, if it's easy for companies to 
treat users differently in different places?
    Answer. Companies face a growing number of privacy and other data 
protection requirements at the state, federal, and global level. As a 
result, it can be difficult for businesses to apply the same privacy 
practices worldwide due to competing and sometimes conflicting 
regulatory requirements.
    The privacy and security of consumer data is a top priority for 
Business Roundtable companies regardless of where their consumers are 
located. In some cases, companies may apply the same practices and 
standards worldwide, while in other instances, adopting the same 
practices everywhere may make it unfeasible to comply with local 
requirements and enforcement regimes.
    Harmonization of existing privacy and other data protection 
requirements is necessary to avoid a globally fragmented regulatory 
environment. The global patchwork of requirements is cumbersome and 
costly for large companies and even more difficult for small businesses 
and startups to navigate. The legal uncertainty that results from the 
lack of harmonization undermines investment, growth, and job creation.c

    Question 2. Earlier this spring, attorney Craig Newman proposed the 
idea of publicly grading companies' data privacy and cybersecurity 
efforts on a simple A through F scale, similar to the way we do with 
health inspections for restaurants in some places. The goal would be to 
create incentives for companies to implement best practices in order to 
receive better grades and help them retain and attract customers.
    There are some issues we would need to work through in implementing 
something like this, but I think it is an idea worth exploring further, 
which I am currently doing with Mr. Newman and others.
    Do you have further thoughts on this kind of proposal?
    Answer. Business Roundtable has not yet evaluated this proposal, 
but we stand ready to assist the Committee as it evaluates this and 
other proposals.
                                 ______
                                 
Response to Written Questions Submitted by Hon. Catherine Cortez Masto 
                           to Denise E. Zheng
    Question 1. There are nearly a quarter of a million small 
businesses in Nevada. They're working to try to navigate the 
increasingly complex cyber world and I hear a lot from them about 
cybersecurity and other Internet issues.
    Can you talk about GDPR, as well as other international 
regulations, and how we can ensure that small businesses have the tools 
to navigate these as well as rules that are being put in place at the 
state level?
    Answer. Many small- and medium-sized companies have very limited 
resources and in-house expertise to navigate the increasingly complex 
regulatory landscape for privacy and security.
    Governments at the state, federal, and international levels should 
provide assistance, training, and tools for small- and medium-sized 
businesses to strengthen their efforts to improve their own data 
security and privacy practices. Governments should also consider 
whether their outreach and relationships effectively reach small- and 
medium-sized businesses and make efforts to ensure that they consider 
the interests of all companies.
    In cases where greater government engagement is needed, governments 
should provide small businesses with practical and tailored risk 
management frameworks, guidance, and other tools to ensure businesses 
of all sizes have the resources to safeguard their own data and 
technology infrastructure, protect consumer data, and comply with 
regulatory requirements.

    Question 2. Countries and increasingly imposing data localization 
requirements, which require companies that collect personal data to 
store it on servers within the geographic boundaries of the country, as 
a requirement for companies to do business there.
    Are there logistically feasible ways for American entities to 
process data internationally with the data localization polices that 
were discussed at the hearing?
    Answer. Data localization requirements can impose prohibitively 
costly workarounds on American companies processing data 
internationally. When laws require data to be stored and processed 
within the borders of one country, companies may attempt to comply by 
replicating, at a great cost, centralized systems, connectivity, 
software, and supporting data. A company that hosts back-office 
services at two centralized data centers (one primary, one backup for 
resiliency and disaster recovery) could see operating costs multiply if 
forced to create regional data centers.
    Furthermore, U.S. companies that develop content for global 
distribution or share services on a global scale may be required to 
duplicate business efforts. For example, a company that develops online 
content for one online platform may be required to redesign and 
redeploy that content in countries that censor those platforms.
    Finally, localization measures weaken the resilience of global 
business and critical infrastructure. As noted, a geographically 
diverse network architecture provides businesses with added resiliency. 
If there are physical outages or cyber-attacks at one data center, a 
robust global network enables other data centers to pick up the work. 
The same geographic diversity enables 24/7 threat monitoring and 
mitigation through a follow-the-sun approach to cybersecurity 
operations.

    Question 3. How does this impact academia or the private sector?
    Answer. The growth of data localization restrictions across the 
globe is causing key challenges for U.S. companies across all sectors 
of the economy including:

   Threatens Interoperability. Data localization requirements 
        threaten a free and open Internet by putting unnecessary 
        restrictions on the free-flow of data. It is a form of digital 
        protectionism that fragments the internet, undermines global 
        interoperability, and could result in delays and unevenness in 
        the deployment of the new internet-enabled technologies.

   Compliance Costs. Data localization requirements impose 
        significant costs associated with legal and regulatory 
        compliance. Restrictions are complex and nuanced, requiring 
        interpretation and causing legal uncertainty. Such requirements 
        can raise the cost of hosting data by 30 to 60 percent for 
        companies that are covered by such requirements.\1\ One study 
        estimated that enacted or proposed data localization mandates 
        in China could cost up to 1.1 percent of its GDP and the cost 
        of data localization requirements in the EU could cost nearly 
        0.4 percent of its GDP.\2\ Localization can also limit the 
        effectiveness of regulatory compliance by preventing the timely 
        transfer of data to inform regulatory requests and reporting, 
        such as those with respect to anti-money laundering 
        requirements under the Bank Secrecy Act.
---------------------------------------------------------------------------
    \1\ Leviathan Security Group (2015). Quantifying the Cost of Forced 
Localization. Retrieved from https://static1.squarespace.com/static/
556340ece4b0869396f21099/t/559dad76e4b0899d9
7726a8b/1436396918%20881/
Quantifying+the+Cost+of+Forced+Localization.pdf
    \2\ European Centre for International Political Economy (2016 
March). Unleashing Internal Data Flows in the EU: An Economic 
Assessment of Data Localization Measures in the EU Member States. 
Retrieved from http://ecipe.org/app/uploads/2016/12/Unleashing-
Internal-Data-Flows-in-the-EU.pdf

   Redundant Investments. Companies may be required to make 
        redundant capital investments by building data servers in 
        various global locations to meet local data storage laws. 
        Building multiple data centers in every country where a company 
        delivers products or services may not be feasible. In the event 
        of a disaster, recovery of services could be significantly 
        delayed or impossible without offshore data backup and 
---------------------------------------------------------------------------
        processing.

   Workforce Challenges. Local data storage mandates can cause 
        companies to fragment centralized workforce information. When 
        companies are unable to consolidate HR information at a global 
        enterprise level, it impacts their ability to create best 
        practices and assess talent across locations. Furthermore, the 
        isolation of data can create skill gaps that force companies to 
        relocate or rehire employees to access specific sets of data 
        rather than moving the data to employees with specific skills.

   Non-tariff barriers to trade. Localization requirements 
        limit digital and physical trade across borders by placing 
        restrictions on the movement of digital goods and information 
        necessary to support commercial activity. Countries that are 
        committed to increased economic growth, expanded trade, and 
        sustainable digital development should not adopt localization 
        measures.

    Question 4. With the various data localization laws taking effect, 
can you discuss whether those typically explicitly forbid data transfer 
over national borders or would they allow a country, Germany for 
example, to host data on German made servers in a neighboring country?
    Additionally, if a U.S. company, for example, was expected to store 
data on a data center in a country like China, would it be mandated to 
use Chinese materials or technology in the construction of the data 
center? Please answer generally with respect to the multitude of data 
localization laws.
    Answer. Data localization requirements can take a variety of forms. 
Such measures ``differ from country to country in terms of industry 
coverage, geography, types of data covered, complexity, [and] data 
intensity.'' \3\ Stricter measures usually require that specified types 
of data collected in a particular country be stored and processed in 
that country's borders. Other rules may require certain conditions to 
be met for data to leave the implementing country, effectively banning 
the transfer of data offshore. Some rules also place requirements on 
the types of technology used.
---------------------------------------------------------------------------
    \3\ International Trade Commission (2017 August). Global Digital 
Trade 1: Market Opportunities and Key Foreign Trade Restrictions. 
Retrieved from https://www.usitc.gov/publications/332/pub4716_0.pdf
---------------------------------------------------------------------------
    For example, China has adopted strict data localization laws. 
China's Cybersecurity Law that went into effect in June 2017 requires 
all ``important information'' and ``personal information'' to be stored 
in China. Under this regime, ``network operators'' are prohibited from 
transferring covered data outside of China without undergoing a 
government-mandated security assessment. As currently defined, the law 
could cover any entity that owns or operates a computer network and 
applies to a vast and ambiguous assortment of different types of data. 
In addition, China has localization measures applying specifically to 
telecommunications. China's Telecommunications Regulation of 2000 
requires all data collected inside China to be stored on Chinese 
servers.
    Russia's data localization law provides another example of a strict 
regime. Federal Law No. 242-FZ requires all data operators, both 
domestic and foreign, to store the personal information of Russian 
citizens on servers physically located within Russian borders.
    China and Russia are not the only countries with data localization 
requirements. India, Nigeria, Indonesia, Malaysia, Vietnam, and South 
Korea all have enacted laws that prohibit the transfer of a range of 
business and consumer data outside of their respective jurisdictions.

    Question 5. The EU-U.S. Privacy Shield is a program that allows 
companies to transfer personal data to the United States from the 
European Union (EU) in a way that is consistent with EU law. However, 
the European Parliament passed a non-binding resolution in July 
claiming the United States was not complying with European law and 
called on the European Commission to suspend Privacy Shield by 
September 1 ``unless the U.S. is fully compliant.''
    What would the impact to U.S. businesses be if the EU Commission 
suspends Privacy Shield?
    Answer. The EU-U.S. Privacy Shield Framework is an important legal 
tool that facilitates global digital commerce by providing U.S. 
companies with a mechanism to comply with EU data protection 
requirements when transferring personal data from Europe to the US. 
More than 3,000 organizations have self-certified they comply with the 
Framework since it was established, including a significant number of 
Business Roundtable companies.
    Cross border data flows are the foundation of today's 
interconnected economy and critical to billions of dollars in trade 
between the U.S. and European countries. Data flows between the U.S. 
and Europe are the highest in the world and are 50 percent larger than 
data flows between the U.S. and Asia.\4\ In addition, the EU and U.S. 
are the top markets for each other for digital goods and services.
---------------------------------------------------------------------------
    \4\ Brookings Institution (2014 October). The Importance of The 
Internet and Transatlantic Data Flows for U.S. and EU Trade and 
Investment. Retrieved from https://www.brookings.edu/wp-content/
uploads/2016/06/internet-transatlantic-data-flows-version-2.pdf
---------------------------------------------------------------------------
    Suspension of the Privacy Shield Framework would bring the legal 
transfer of EU resident data to a halt for organizations reliant on the 
Framework, along with the trade that depends upon those data flows. 
Companies would have to undergo burdensome processes to establish 
alternative transfer mechanisms such as binding corporate rules or 
standard contractual clauses, which can be expensive and disruptive to 
business activities dependent on the information.
                                 ______
                                 
     Response to Written Questions Submitted by Hon. Jon Tester to 
                            Denise E. Zheng
    Question 1. Many members of the panel mentioned the United States 
needs to step up our level of engagement and join other like-minded 
countries. In your opinion, which countries closest align with our 
values on Internet freedom, privacy, and Internet of Things?
    Answer. Internet freedom, privacy, and Internet of Things are 
related policy issues, but also very different. The best countries to 
engage with may vary based on the issue at hand.
    Maintaining a multi-stakeholder approach to Internet governance, 
which includes governments, businesses, academia, and civil society, is 
critical to preserving a free and open Internet that enables economic 
growth and opportunity around the world. The U.S. must work other like-
minded countries to strengthen multi-stakeholder institutions, promote 
principles of Internet freedom in countries with nascent Internet 
policies, and counter efforts by repressive countries attempting to 
rewrite the rules of the Internet in ways that are fundamentally at 
odds with open markets and democratic values.
    American companies and the U.S. Government should continue working 
closely with the EU and countries in Asia, including Japan and South 
Korea, to establish interoperable privacy frameworks that protect 
consumers and promote continued growth and innovation.

    Question 2. What forum (e.g., the United Nations, NATO, etc.) do 
you recommend for facilitating an international discussion on rules and 
definitions?
    Answer. Norms, best practices, and standards for digital economy 
issues should be developed in multi-stakeholder forums where 
government, industry, and civil society have a seat at the table. The 
U.S. Government should seek to strengthen ties with allies and 
demonstrate leadership in forums where countries are promoting 
regulatory regimes that disadvantage American companies and run counter 
to American values of an open and secure cyberspace. The appropriate 
forum for international discussion depends on the issue. Examples of 
possible forums to discuss cross-border data flow, cybersecurity, and 
privacy issues include:

   Cross-Border Data Flows. The U.S. Government should use 
        trade agreement discussions to minimize barriers to 
        international trade, including restrictions on the free flow of 
        data across borders.

   Cybersecurity. The U.S. Government should actively engage in 
        discussions with ``Five Eyes'' nations to discuss how to 
        enhance collaboration to address common security challenges in 
        cyberspace. In addition, the U.S. Government should promote the 
        alignment of cybersecurity regulations and frameworks in 
        ongoing and upcoming trade negotiations to reduce regulatory 
        fragmentation.

   Privacy. Congress and the Administration should work with 
        industry and other privacy stakeholders to develop a framework 
        for national consumer privacy legislation, and create a 
        strategy to engage with the EU and countries in Asia that 
        promote interoperability with GDPR and other international 
        policy frameworks. The U.S. public and private sectors should 
        also be fully engaged in upcoming APEC Cross-Border Privacy 
        Rules discussions and OECD privacy efforts.

    Question 3. Before the United States can lead the charge 
international, we must unify our own ``rules of the road.'' Does such a 
forum currently exist, to your knowledge? How has private industry in 
the U.S. tried to tackle how we define the rules of the road when it 
comes to Internet security and governance? Which U.S. governmental 
agency would you recommend take the lead and represent the United 
States in international discussions?
    Answer. U.S. companies have been working closely with the U.S. 
Government, foreign nations, and other regional and international 
bodies to participate in efforts to the define the ``rules of the 
road'' for Internet security and governance that enables growth and 
innovation while safeguarding security and privacy.
    American companies are committed to building long-standing and 
trusted partnerships with the government to create policy solutions 
that provide the public and private sectors with the tools needed to 
manage sophisticated cybersecurity threats to critical infrastructure. 
A key example of how government and industry have partnered to 
strengthen cybersecurity for all sectors of the economy and the 
government is the creation of the National Institute of Standards and 
Technology (NIST) Cybersecurity Framework. The Cybersecurity Framework 
is a voluntary industry-led risk management approach based on best 
practices and guidelines to reduce cyber risk.
    The U.S. Government should promote the Cybersecurity Framework with 
other countries and international standards bodies. The adoption of 
interoperable cybersecurity standards across jurisdictions promotes 
innovation and helps multinational businesses more effectively manage 
risks. NIST should encourage foreign governments and international 
standards organizations, such as the International Standards 
Organization (ISO) and International Electrotechnical Commission (IEC), 
to leverage the Framework in a manner that enables harmonization and 
complementary standards, guidelines, and best practices. In addition, 
the U.S. Trade Representative should promote the use of voluntary cyber 
risk management frameworks and advance prohibitions on localization 
measures in all future trade agreements.
                                 ______
                                 
   Response to Written Questions Submitted by Hon. Maggie Hassan to 
                        Christopher M.E. Painter
    Question 1. We have heard a lot about Europe's new data privacy 
protections, known as the GDPR. I'd like to understand better what 
their actual impact has been in the United States, and how much 
companies are differentiating their practices for European consumers 
vs. American consumers.
    For example, during his testimony in the spring, Mark Zuckerberg 
promised that Facebook would apply the same standards to users in 
Europe and America. But it now appears that Facebook is requiring 
consent from European users for some of its policy changes while merely 
notifying American users--and may be treating users in other places 
like Asia differently altogether.
    Mr. Painter, should it be a concern if companies like Facebook are 
differentiating in this way? Why should we seek to harmonize our laws 
across countries, if it's easy for companies to treat users differently 
in different places?
    Answer. I have not conducted any research on the extent that 
companies are differentiating between U.S. and other customers. 
However, though the GDPR does have some effects outside the European 
Union, it is primarily aimed at protecting EU citizens and their data. 
U.S. and European data protection standards have always been 
different--though the goal is for them to be interoperable. Though for 
administrative and other reasons it should be expected that some 
companies will apply the same standards globally, in the absence of 
U.S. rules there is no legal requirement to do so. Accordingly, in 
order to achieve the kind of harmonization you raise, the U.S. would 
need to have similar practices. As I said in my testimony, if the U.S. 
wants to set the global standard, it is important for the U.S. to have 
its own consumer data privacy regime, drawing from the Privacy Bill of 
Rights released during the last administration.

    Question 2. Earlier this spring, attorney Craig Newman proposed the 
idea of publicly grading companies' data privacy and cybersecurity 
efforts on a simple A through F scale, similar to the way we do with 
health inspections for restaurants in some places. The goal would be to 
create incentives for companies to implement best practices in order to 
receive better grades and help them retain and attract customers.
    There are some issues we would need to work through in implementing 
something like this, but I think it is an idea worth exploring further, 
which I am currently doing with Mr. Newman and others.
    Could you elaborate on this idea in the context of international 
companies--whether and how we could implement and idea like this 
globally, and what challenges we might face?
    Answer. This is an interesting idea and deserves further study. As 
you note there are a number of challenges to implementing such a regime 
either domestically or internationally. These include what the criteria 
would be for such designations, who would determine whether a 
particular entity deserved a particular rating, how would those 
decisions be reviewed, how would such designations differ based on the 
criticality of the end use, whether the simple grade designations 
really convey useful information to the end user, etc. The complexity 
is magnified if the scheme is meant to be used internationally as other 
countries, civil society and the private sector in those countries 
would have to buy in to that scheme and the ``grade'' should not be 
used as a way to control market access. The EU is currently working on 
cybersecurity legislation that would create a voluntary certification 
regime for cybersecurity and network products. In the course of that 
legislative process a number of considerations came to light and have 
ben incorporated or are being weighed. Among these considerations is 
that such a scheme should be based on a risk management approach; that 
there is no one size fits all and any certification criteria should be 
developed collaboratively with relevant industry players and that such 
a scheme should be largely voluntary.
                                 ______
                                 
Response to Written Questions Submitted by Hon. Catherine Cortez Masto 
                      to Christopher M.E. Painter
    Question 1. There are nearly a quarter of a million small 
businesses in Nevada. They're working to try to navigate the 
increasingly complex cyber world and I hear a lot from them about 
cybersecurity and other Internet issues.
    Can you talk about GDPR, as well as other international 
regulations, and how we can ensure that small businesses have the tools 
to navigate these as well as rules that are being put in place at the 
state level?
    Answer. Given the complexities of the GDPR and the growing and 
sometimes conflicting cybersecurity regulations around the world it is 
often difficult for small businesses to take into account and implement 
varying requirements. This, of course, is heightened if they do 
business globally. The same is true in the physical world but given 
that many small businesses have an online presence they may be subject 
to certain requirements, like GDPR, particularly if they are processing 
data from overseas. There is no easy answer to this, but, for example, 
as GDPR is being implemented there are a number of resources that are 
being created to help navigate its requirements. Nevertheless, this 
will likely require small businesses to devote scarce resources to 
compliance.

    Question 2. Countries and increasingly imposing data localization 
requirements, which require companies that collect personal data to 
store it on servers within the geographic boundaries of the country, as 
a requirement for companies to do business there.
    Are there logistically feasible ways for American entities to 
process data internationally with the data localization polices that 
were discussed at the hearing?
    Answer. Some larger companies have been able to deal with at least 
some of these requirements by building or operating data centers 
overseas but this approach, even for large and well resourced entities, 
is not scalable or sustainable if many more countries demand this. This 
is also an issue for small and start-up businesses who don't have the 
resources to operate several data centers around the globe. Moreover, 
with respect to repressive countries, data localization requirements 
are often used as a proxy to allow greater monitoring and control of 
their citizens and that raises significant human rights issues.

    Question 3. How does this impact academia or the private sector?
    Answer. As noted above, any entity that is required to comply with 
data localization demands will need to devote significant resources to 
comply and this is not scalable in the long term.
    Also, as noted above, there may be significant human rights 
concerns.

    Question 4. With the various data localization laws taking effect, 
can you discuss whether those typically explicitly forbid data transfer 
over national borders or would they allow a country, Germany for 
example, to host data on German made servers in a neighboring country?
    Answer. I have not studied this issue but it would very much depend 
on the laws and regulations of the country or geo-political entity in 
question.

    Question 5. Additionally, if a U.S. company, for example, was 
expected to store data on a data center in a country like China, would 
it be mandated to use Chinese materials or technology in the 
construction of the data center? Please answer generally with respect 
to the multitude of data localization laws.
    Answer. Again, I have not studied this issue but such requirements, 
if they exist, would not necessarily be part of the data localization 
law itself. China, for example, has used a number of methods more 
generally to require, among other things, joint ventures with Chinese 
companies for certain businesses wishing to operate in China and has 
used its cybersecurity law to mandate or exclude various products.

    Question 6. The EU-U.S. Privacy Shield is a program that allows 
companies to transfer personal data to the United States from the 
European Union (EU) in a way that is consistent with EU law. However, 
the European Parliament passed a non-binding resolution in July 
claiming the United States was not complying with European law and 
called on the European Commission to suspend Privacy Shield by 
September 1 ``unless the U.S. is fully compliant.'' What would the 
impact to U.S. businesses be if the EU Commission suspends Privacy 
Shield?
    Answer. The U.S. and EU methods for dealing with data protection 
and privacy differ and so the goal has always been to assure basic 
interoperability. The Privacy Shield has been a vital means to both 
assuring European entities of basic privacy protections and ensuring 
that both U.S. and European businesses and other entities can transfer 
necessary data and conduct business and other interactions. If the 
Privacy Shield is suspended, it will have a major negative effect on 
businesses and individuals on both side Atlantic.
                                 ______
                                 
     Response to Written Questions Submitted by Hon. Jon Tester to 
                        Christopher M.E. Painter
    Question 1. Many members of the panel mentioned the United States 
needs to step up our level of engagement and join other like-minded 
countries. In your opinion, which countries closest align with our 
values on Internet freedom, privacy, and Internet of Things?
    Answer. Most of our traditional allies and partners, including 
European, Five-Eye, G7 countries and others are closely aligned with 
our views (though I will not list all of them here for fear of leaving 
some out). While it is important we continue to strengthen our ties 
with our traditional partners, it is also important that we work with 
them to expand the like-minded tent through capacity building and 
International engagement.

    Question 2. What forum (e.g., the United Nations, NATO, etc.) do 
you recommend for facilitating an international discussion on rules and 
definitions?
    Answer. There is no ``one ring to rule them all'' forum but rather 
we need to work with our partners is advancing these issues in a 
variety of both international and regional forums. These include the UN 
(like our engagement in the Group of Governmental Experts), NATO (that 
has made great strides in incorporating cyber issues into its core 
policies in the last 10 years), the OAS, the OSCE, ASEAN, the G7. It 
also includes informal organizations like the Coalition for Freedom 
Online and a host of public/private and multi-stakeholder forums. For 
example, I currently serve as a Commissioner on the Commission for the 
Global Stability of Cyberspace, a multi-stakeholder group that is 
trying to suggest and advance stability measures and a framework in 
cyberspace, and I chair a working group for the Global Forum for Cyber 
Expertise that works with governments, the private sector, and civil 
society to advance cyber capacity building efforts.
    As cyber issues--including human rights, Internet governance, 
cybersecurity, cybercrime, and international security and conflict 
issues--become ever more prominent, nearly every global and regional 
forum are brining to consider them. Some forums are more tailored to 
specific issues than others but there is an urgent need to engage as 
many of these forums are considering issues or making decisions that 
could have a profound impact on the future of cyberspace.

    Question 3. Before the United States can lead the charge 
international, we must unify our own ``rules of the road.'' Does such a 
forum currently exist, to your knowledge? How has private industry in 
the U.S. tried to tackle how we define the rules of the road when it 
comes to Internet security and governance? Which U.S. governmental 
agency would you recommend take the lead and represent the United 
States in international discussions?
    Answer. Given the breadth and scope of cyber issues U.S. 
coordination is paramount if we are to continue to lead the global 
discussion in this area. Although there is no single domestic forum 
where all these issues come together, their has, in the past, been 
strong coordination between Federal agencies and robust outreach to the 
private sector and civil society. Various agencies have taken the lead 
on different aspects of cyber policy and in taking practical measures 
to thwart cyber threats including DHS, DOJ, DOD, State, Commerce and 
others. Overall international engagement on policy issues has been led 
by State (and that should continue) though other agencies have worked 
closely with international counterparts on their mission sets. In my 
former role, I led interagency delegations in a number of engagements 
that sought to present a whole-of-government approach. That said, given 
the importance of the international issues being raised and the need to 
build coalitions to respond to shared threats, I am concerned that we 
are not currently well structured to achieve these goals. My former 
office in the State Department, the first of its kind anywhere in the 
world and now emulated by over 25 countries, has now been demoted for 
over a year sending an unfortunate message to both our friends and our 
adversaries that we do not prioritize these issues. Moreover, the Cyber 
Coordinator at the National Security Council has been abolished. That 
role helped coordinate all the interagency efforts (including helping 
to resolve potential conflicts) and also served to up our game and 
profile on the international stage. Though structure isn't everything, 
and a lot of folks throughout the interagency continue to do good and 
important work, these changes again signal, intentionally or not, a 
lowering of priority when we are at a time when, if anything, the 
priority and profile of these issues should be raised.

                                  [all]