🔒 Protecting Privacy & Ensuring Data Flows: A conversation with BSA | The Software Alliance

Welcome to another segment in our Privacy and Compliance Week. I'm here with Thomas Boué of BSA, the Software Alliance. Welcome, Thomas. Thank you, Petra. Great to be here. I think the topic of today is a very, you know, relevant one in the week that we're having. And we're talking about privacy. We're talking a lot about Cloudflare's approach to privacy. And at the moment in the EU, where you are, you know, the director for the BSA office in Brussels, I think there's a lot of discussion going on around privacy, but also about data flows, around how do we treat data. And the EU is, you know, there's a lot of policy debates going on in this regard. Maybe just to introduce, first of all, BSA. Could you say a little bit about who, you know, who's BSA and your role, maybe also in the Europe office? Absolutely. So, well, first of all, thank you for having me. It's great to be here. And so BSA is a global trade association representing enterprise software companies. So BSA, we are a global organization. So our headquarters in Washington, D.C., but we have about 10 offices around the world, many in the Asia -Pacific region with a big hub in Singapore. And we have an office in Brussels that I run. And our job is to represent our companies, primarily enterprise software companies, as I said. And Cloudflare is an esteemed member of BSA and it's great to have them with us. And our job is really to talk to policymakers, to regulators, as policies are being developed to bring the point and the voice of the software industry in the different legislation that will be devised in Europe. There's a lot of that going on. Exactly. Yes. And I think the purpose of our chat today is also to kind of go a little bit deeper into, as I said, the EU debates that are happening right now. I think for our viewers, you know, I'm also based in Brussels and, you know, Cloudflare, you know, we follow those debates, you know, with great interest. And I think it would be great, you know, great to have a chat with you today, talk a little bit about your kind of view on the current discussions. Maybe just to start on data flows. I think, you know, most of us would agree that, you know, especially now in the pandemic, we have seen an increased, you know, reliance on digital technologies. Everybody's working from home. But also, you know, there's a lot of economic, you know, benefit that companies get from data flows. Could you just outline a little bit, you know, what BSA's view is on that? Absolutely. And thank you. Thank you for this great question. I mean, data flows is maybe one of the most single important issues that we're facing today. And data flows is usually perceived as a technology issue, but it's not a technology issue. It goes about every company, every sector, every size of companies that today has customers, partners, vendors, research operations in different parts of the world. Because all the operations will have to go via some kind of a data flow. And Petra, you mentioned it very well. The COVID-19 situation has shown the dependence on data flows by all sectors. And I would even go beyond just not just by the economy, about society and our way of life in general. I mean, the way that we've kept in touch with our families, our loved ones, our friends all around the world was all dependent on data flows. And that is maybe one of the very, very important issues that we're facing. And you said it, data flows are in a bit of a difficult and strange situation at the moment. There's a lot of movement about that and potential restrictions to data flows. That is of concern. And that's why, you know, we at BSA, we spend a lot of time with our companies to talk about data flows, to try to create the conditions for global data flows and the facilitation of that. I will do a little bit of self -promotion here as well. And just to highlight that it's not just about technology companies. Earlier in 2020, we launched the Global Data Alliance, which is an alliance of BSA member companies, but also companies from a variety of other sectors, from pharmaceutical to airlines, to automotive, companies who rely on data flows, but who usually did not speak as much about data flows before, but who are realizing that they would need to have also a voice for them in these discussions, in these debates as they are actually happening. Yeah, exactly. I think you're really right in saying that, you know, there is a lot of different sectors that are depending on that data can flow, you know, freely, globally. But I think there has been a lot of discussion, especially, you know, since the judgment of the Court of the European Union on the SRAMS 2 case, that there's also obviously a question of protecting privacy while doing international data transfers. Could you maybe kind of give a bit of the background of the SRAMS 2 case, because BSA was a partner in that case? Maybe just to give a bit of a sense of where we are now as well, you know, a couple of months after the judgment, there's a lot to happen. So it probably would be interesting for our viewers to kind of get a bit of overview of what happened so far. Absolutely. So you said it, and I'm sure I said it before, actually, privacy and data flows go hand in hand. I think with, and it's particularly valid in our context, in the enterprise software context, you know, the customers of our companies, of Cloudflare companies, which are other businesses, and sometimes governments, you know, rely on privacy, because entrusting companies with the data needs to also go with strong privacy protection. And that is an absolute prerequisite. Now, in Europe, the situation for data flows with regard to personal data and privacy is slightly different than maybe other places around the world. And the starting point in Europe is that the data cannot flow outside of Europe unless there's a number of privacy protections that are met. And you mentioned the SRAM's case that was decided, SRAM's two case that was decided earlier this year, which was pertaining to the standard contractual clauses, which is the single most used mechanisms for transferring personal data outside of Europe, which is used today by more than 90% of the companies transferring data. And this was called into question in this case. And in July, so the Court of Justice upheld the standard contractual clauses, said they were valid transfer mechanism could continue to use. However, the court added a few new requirements that companies have to do in order to be able to transfer data outside of Europe. And these two requirements are twofold. One is companies now have to do an assessment of the laws and rules around the data in the third country, the country of destination, to make sure that the privacy protections that European citizens benefit can be met. And if they cannot be met for a variety of reasons, then the companies have to add additional safeguards in order to protect the data. And these safeguards can be of contractual, organizational, and or technical nature. And so that is where we are today. There's a lot of movement happening on how do we go from there? What do we do? How do we conduct all these analyses? How do we add these safeguards? There's a lot of work going on. And I'm happy to go into as many details as you wish. I mean, I could talk about this for hours, but we also don't have, you know, the whole day for this. Yeah. And just wondering, maybe from your experience in your conversations also with your members, a lot of them are businesses that also have significant presence outside of the EU. So especially this runs to judgment, as you say, you know, a lot of companies rely on standard contextual clauses. There's a lot, of course, I can imagine uncertainty amongst, you know, the industry in general. And as you say, it's not only the tech sector, but it's like the wider economy that kind of depends on data flows. Do you notice any kind of, you know, concerns or kind of uncertainties that are kind of most prominent in, you know, from, let's say, a business continuity perspective, like from your membership, let's say? Well, from the membership, I think the companies are very much they've been focused on this issue for a very long time. And maybe, you know, maybe our industry or sectors, our organization has been one of the one looking at these issues for maybe the longest time, because we were digital from the beginning, the data flows and the, you know, the specific safeguards needed to be added to the data for data flows has always been a real sort of focal point of us and of our companies. And so today, what the companies are trying to navigate between sort of three things, understanding what the decision and actually entails in practice. Second, there was recent draft guidance by the European Data Protection Board. So the body that brings together all the data protection authorities, the regulators in Europe that provided very detailed guidance that is still under public consultation. And in the meantime, or right after that, the European Commission actually issued a new set of semi -controversial clauses that are also under consultation to try to bring a lot more, you know, clarity and help to the discussion. And at the moment, so what we're all doing is we're trying to understand exactly how do we go from there? What are the steps? How can we really make sure that that, you know, there's a strong privacy component to this and we protect the data, but also how we can make sure that it continues to flow, because ultimately it's for the benefit of all of the business customers of the companies, which is, you know, as I said, other companies, you know, large or small, multinationals, but also governments who are also relying on this. So there's a lot of there's a lot of time spent on all this. You know, I've been, you know, living and breathing this for, you know, for the last, you know, very detailed for the last four years, as you said it before, BSA, we were an amicus curiae in the Shrems case, and we made a number of arguments in front of the different courts in Europe, including the CJU. And so now that we have, you know, decision, we have some guidance, we have some USCCs trying to work that in practice to make sure that there's a business continuity, that customers actually do not feel any change, but that, you know, the privacy protections continue to be there in the best manner possible. Yeah, exactly. Yeah, I think we'll have a very interesting year next year, where we're seeing what, you know, the outcomes of those consultations, as you mentioned, and to see also, you know, how to kind of further kind of development out of this Shrems 2 case. We're definitely not having, you know, a dull moment in Europe, even during a pandemic, where, you know, all of these other things are still going on as well. You mentioned, kind of, you know, that we need to kind of find a way forward, I think, I've heard you say this before, as well, on other occasions, I think that's also BSA's feud, like we need to try to find a solution to be able to continue, you know, business as usual, that is so important for business, especially during these times. Is there any kind of recommendations that you have been giving to, let's say, the European Commission or to the US government about how to kind of move forward on this? So we have, and we keep thinking about these things, and while we work on the SECs as a practical matter, because SECs are used for transfers to about 180 countries around the world, we also spend a lot of time working on the specific EU-US data transfers mechanisms. And, you know, we mentioned the Shrems case, what happened with the SEC, so the SECs were upheld, which is a very good thing. At the same time, during the decision in July, the court annulled the EU-US privacy shield, which was the, you know, mechanism that, where the European Commission recognized the United States or parts of the United States as adequate, meaning that the level of privacy protections afforded by companies under the purview of the Federal Trade Commission was equivalent to what was in the EU, and that when companies were certifying to that program, they could transfer data without the need to add standard clauses or any other mechanisms. So that mechanism, the privacy shield, is no longer there since July 16. And so, you know, there's been a lot of efforts since then by the European Commission, the US government, to try to find a way forward to recreate a new agreement between the two markets for a much more streamlined and facilitated data flows. So we also spend a lot of time with the European Commission, with the US government, trying to help give ideas and thoughts on how these issues could be moving forward. We're very supportive of these efforts. We hope that we'll see something happening, you know, in the next year that would certainly be a very important development. But in these issues pertaining to data flows or concerns that there have been about data transfers, it's not so much about the company privacy practices and what the company is doing with the data. The issues that was really in the spotlight of the Court of Justice was national security practices and the level that law enforcement in third country, including the United States, have over data that is being transferred. So these issues are very important issues because on the one hand, you know, governments have a clear duty and responsibility to protect their citizens, to protect their economies from undue attacks and to conduct these investigations. At the same time, you know, our companies also have a duty to protect the privacy of their customers and ensuring that the data can flow, but also being responsive to legitimate requests from governments to conduct their legitimate national investigations. So the crux of the matter here is about real law enforcement access to data and the level of safeguards and of certainty that there can be in that space. So one of the, you know, so one of the things that we're thinking about, that we're spending time about thinking about, is obviously it's going to be a long-term project because it's something that needs to happen, you know, or that will not happen overnight. But it's about how can like-minded elected, like-minded democracies can find a way to create a standard and that standard, you know, can be devised a variety for us and others, but what will be the standard for acceptable government access to data and national security practices? What would be the ways that they would conduct these investigations? What would be the safeguards that exist? What would be the means of redress or of challenging those? And that is the thing that needs to happen between countries that are like-minded, that value privacy, but that also value, you know, the security of their citizens, and how can it go forward by creating the standard that would then bring a lot more clarity, a lot more certainty, and a lot more appeased views in this entire debate. And that is the thing that we think is essential. We know that there is some work being done in certain fora, for instance, in the OECD context, and countries are starting to think about it. We very much encourage them to do that, to do that more, and to find a way forward, because this will only come through their leadership. You know, obviously, you know, companies will be supporting these efforts, but it's out of our hands. It's really up for governments to do that, you know, amongst themselves. Yeah, thanks very much, Thomas. That's a very, very comprehensive overview. And indeed, I think it's a long-term project, by the looks of it, and, you know, governments indeed need to have those discussions. So I think maybe just kind of turn a little bit to the European, let's say, debates as well, because we've talked a lot about international data flows. But of course, within the EU, there's a lot of data flowing around as well, where the Commission, as well as national governments, have been looking a lot at different concepts and different kind of policies to, you know, to kind of encourage data sharing, especially with this new Data Governance Act that the Commission has published recently, but also with projects like IAX, that is kind of started with the German and French governments. I think kind of along comes as well a concept of digital sovereignty, or data sovereignty of the EU, which of course is also, you know, linked a little bit to the discussion that we're having around trends and about, you know, kind of international transfers. So I just wonder if, you know, you could share a little bit your thoughts on where the debate is going in Europe on that piece. Yeah, I think, you know, it's a good point. I think there's a lot of discussion, a lot of things happening in Europe around that. And digital sovereignty was a concept introduced about a year ago by the current Commission, the underlying Commission. And that's, you know, for a while there was a lot of questions, because digital sovereignty had not been defined. So it was like anybody could understand what they wanted with that. And I think, from our perspective, you know, we very much welcome the definition that the Commission President Ursula von der Leyen gave to what she understands, what she believes the EU understands with digital sovereignty, which is, it's the ability for the European Union to devise the laws and the regulations that are consistent with, you know, with our values, you know, with the European values, with the European ways of doing things, and trying to have, having the sovereign rights to devise these policies to make sure that the data sharing, data access, you know, are fully in line with our way of doing things and with our values. Now, the corollary to that is, as long as companies, you know, respect and abide by these rules, and, you know, follow these, they are welcome to operate here. They're welcome to engage, you know, in commercial activities, to process data, store data, transfer data, et cetera, as long as they follow the rules. And I think, from that perspective, there's no question about it that, you know, it's absolutely fine. This is something that nobody can argue, which is absolutely normal. I think any country around the world has the right to do that, enact their own laws, their own regulations, according to their values, to their views, to what they wanted to achieve, and then that, you know, in full respect of the rule of law. And that is absolutely fine. Now, you know, where we come in, and to come back to the beginning of our conversation, is, you know, as these policies are being developed, you know, our role as global organizations, global companies, is to come and also help the European Commission, the European institutions, to work these policies in the best way possible. How do you, you know, achieve your objectives of, you know, of creating rules that respect the values, and et cetera, while also ensuring that, you know, they operate, they work in the global economy? I mean, today, you know, no, you know, you know, there's the old saying, you know, no man is an island, no country is an island. And, you know, the European Union, you know, is also operating in a globalized world. And how do we make sure that there's a way for all these laws to actually work with one another, to ensure that we reach, you know, some kind of a global convergence of norms on things that really matter, that actually help, you know, to move, to move our societies, our economies forward. And that is a thing that, you know, is important. You know, you said, you know, you mentioned a number of legislations that are on the table, that will be on the table, you know, the Data Governance Act, the European Data Spaces, you know, we'll see, you know, in a few months, also some regulation on artificial intelligence, that is a very strong focal point of the EU. And so, yes, it would be, you know, a very important element to work these, and to make sure that, you know, they reflect European values, obviously, but they also are, you know, you know, working in a, you know, in a globalized world. And what's, you know, comforting to me, to us, when we also read what the European Commission has done in their, you know, European Strategy for Data from February 2020, there was a very strong push for the EU being open. So looking at these policies, but again, in this view of, you know, like, not looking inwardly, but looking outwardly, how do we create this so that we can, you know, grow, we can compete, we can export, we can continue to do that. And that is a very important element and something that we'll be, you know, working very closely here to make sure that these are reflected in final legislations and in the final, you know, ways that companies will continue to be able to operate and offer services to customers and governments in Europe and beyond. Yeah, exactly. So I think we should see it also as an opportunity for everybody to, you know, if Europe grows, you know, the global economy grows as well. Absolutely, absolutely. And Europe is, you know, Europe is one of the largest, you know, economic markets in the world. You know, the EU, you know, and the US, you know, have similar, few similar values, you know, we see either way, maybe two of the two closest, you know, largest economies in the world. And I think working hand in hand and working together is the way forward. I think one of the things that's really encouraging that we're seeing is this recent new initiative from the European Commission from last week, I believe, which was called a new strategic partnership. Let me get the new EU-US agenda for global change, in which the Commission sort of pledges a number of work with the United States, moving forward on a variety of topics from, you know, climate change to trade, to technology, and how do we how do we move forward? How do we work together to really create, you know, a place where economies can grow can compete. And while there's a strong EU-US focus, it's more about how do we work with like minded economies around the world, you know, Japan is one and there's many others on how we can we can achieve that. And there's very sort of positive elements there that we look forward to seeing. And then, you know, in particular, you know, we were mentioning, I was mentioning, we were mentioning these two topics. There's a willingness in this document in this outline for how do we move forward to create a transatlantic AI agreement? How do we create a blueprint for, you know, global regional standards that will help, you know, the development, the use, the deployment of artificial intelligence in our societies for the benefit of all and economic growth. There's also a strong push to work together on a bilateral and multilateral multilateral level to promote regulatory convergence and facilitate free flows of data. So these are things that are very, very uplifting to see this willingness to engage to realize, well, we need to work together. These issues, you know, nobody can solve them on their own. You know, just like, you know, one sector cannot solve all issues. Sectors have to work together. You know, we're talking before, you know, data flows is all sectors, all sizes of companies. And, you know, working with like minded governments, partners, how do we how do we take this forward? This is something that is that is extremely important and that we that we very much welcome. Yeah, yeah, exactly. Thanks. Thanks so much. That's a very comprehensive overview. And I think, yeah, we're all looking forward to see, you know, how that agenda for global change will, you know, kind of be further developed next year, especially with the new, you know, Biden administration coming in the US. So I think it will be very interesting times. Maybe just as a final question, as I know that we're kind of coming up to the end of the session, just kind of your thoughts for 2021. It's very broad. And, you know, it's very uncertain with the pandemic and everything. But are there any kind of, you know, in in, of course, the topic of privacy and data protection? Is there any specific things that you're looking forward to, or that you're kind of, you know, thinking, you know, that there will be some developments that are interesting to to watch? Well, I think, you know, and I always say I'm a very optimistic person by nature. And, and, you know, so I think, you know, 2021 brings a lot of opportunities. I think we know if we talked about about this, you know, a year ago, no one would have realized the world the state of the world we were in today with COVID-19. I think today, there's a broader realization that, you know, this interconnectivity of the world, the need for data flows, the need to ensure responsible data flows is actually there. And there's a lot of things happening. I think, you know, in 2021, you know, I'm hopeful that we will see a new EU-US privacy shield that will be negotiated between the EU and the European Commission and the United States government to facilitate data flows between the two markets, that there will be, you know, some proper ways forward for streamlining and robust streamline and robust standard closure clauses that companies can be used then for your transfers to 180 countries around the world. We're also hopeful, you know, in the context of trade, you know, there's a negotiations going at the WTO today on e -commerce. And again, that looks at facilitating data flows between, and there's, I think, 86 or 88 countries in the world that are participating in that. And then there's movement, there's a ministerial conference in June of next year, hopefully that will bring some new disciplines, some new, you know, yes, way forward and vision, you know, hopefully the negotiations between governments on national security practices, how to create the standard for like-minded countries will also continue moving forward and bring, you know, the solace, bring the peace place where we can continue, you know, first recovering from the pandemic. I think this is the first thing that we'll have to count, but also how do we move from there? How do we really, you know, build on what we have and continue to be able to communicate, to do commerce and for the benefit of all of our societies in general. Thank you so much. I realized that we're almost out of time. This was very, very interesting. And I think it's very, indeed, a very optimistic view of 2021. So let's hope that, you know, we'll see some constructive way forward on a lot of issues that are, that happened this year. I want to really thank you for contributing to the, to our discussions in our privacy and compliance week. This has been very interesting, very helpful. I hope for everybody who's been watching to get a bit better sense of what's happening in Brussels and in Europe, but also, you know, in the transatlantic area. So thanks again. And yeah, I hope you found it interesting as well to exchange some views with us. Absolutely. Petra, thank you very much for inviting me. It's great, great to be here. It's great to talk to you. Great to talk to, you know, people watching this. I think it's, it's, it's, you know, it's, it's been, it's very good, you know, discussion, you know, obviously we could have gone for, for a lot longer time. I don't have that, but, you know, I think that there's a lot of positive that will come out. One thing is for sure that we at BSA, colleagues, our members, we continue working hard on these issues. They matter a great deal and we will find constructive and practical, pragmatic solutions to move forward. And so that, that is. Thanks a lot. Thank you, Petra.