Remarks prepared for delivery by
Counselor, Delegated Duties of Under Secretary for Economic Affairs
U.S. Department of Commerce
TRUSTe Privacy Risk Summit
San Francisco, California.
June 8, 2016
I want to thank TRUSTe and everyone here for the chance to share some thoughts about the Privacy Shield.
I’m sure most here know quite a bit about it, so I’ll just touch on the highlights. In simple terms, Privacy Shield is an innovative framework designed to protect personal data as it flows across the Atlantic. It’s not an international agreement, treaty or law. It’s a voluntary set of principles with mechanisms for robust monitoring, enforcement, redress and accountability.
In a nutshell, it provides greater safeguards for personal data on both sides of the Atlantic. It provides greater clarity and certainty for businesses in handling data from Europe. And it opens the door for even more digital business and trade.
Let me give you a sense of why the Commerce Department taking the lead on this for the U.S. I’ve found that a lot of people don’t know what Commerce is or does. Some think we’re SBA – the Small Business Administration. But that’s a separate agency.
Our job at Commerce is to boost the nation’s economy, our global trade, our innovation and our technology, and bring a font of data, stats, research and analysis to help business and the economy grow and thrive. We have the Patent Trade Office, the International Trade Administration, and National Oceanographic and Atmospheric Administration, the national weather service. And we have the Economics and Statistics Administration, which I run, and which includes the Census, Bureau of Economic Analysis, and leads the Department’s efforts on open data. Commerce also has BIS, EDA, NTIS, NTIA, and several other agencies. My kids think I work at the alphabet.
Our Commerce Secretary, Penny Pritzker, has laid out a five-point strategic plan focused on trade and investment, innovation and data – reflecting that Commerce and the country are “Open For Business.” A big priority of mine is getting our valuable of data into the hands of businesses and other innovators, nonprofits, advocacy groups, and our people in ways they need it, and can use it. We have incredible economic data, income data, demographic data, weather data, intellectual property data, and more.
Many companies are finding new ways to harness our data. Zillow uses our demographic data to track the housing market down to the neighborhood. Target uses our economic statistics to track consumer habits in their store locations. And there’s a nonprofit called Arjuna Solutions that uses our data to help charities tailor their donor requests. Just this past Saturday we hosted the annual “Civic Day of Hacking” in Washington, DC, one of dozens around the country. We challenged hackers to solve a range of issues, from helping people apply for affordable housing, to fighting the spread of the Zika virus. In DC, we challenged our hackers to harness our data to help very small businesses expand and succeed.
We all know that data is the lifeblood of the Digital Economy. And a big challenge today is protecting the security and integrity of data, including personal data. That brings me back around to Privacy Shield, which I believe will advance data privacy by addressing two important realities in the Digital Age.
Reality number-one: Progress often beats process. In a free market, regulating commerce is balancing act. You want a process that achieves the desired goals with due process – involving all stakeholders, balancing interests, and the like. But you also need a process that keeps up with progress.
Let me illustrate. Some of you may know about the old Chesapeake & Ohio Canal – the C&O.
It starts in DC, in Georgetown, and was supposed to run almost 200 miles to the Ohio River at Pittsburgh. It was launched in 1825. The goal was to connect the growing mid-Atlantic and Midwest markets, and compete with the Erie Canal that connected the Northeast markets to the Midwest. President James Monroe chartered the C&O. President John Quincy Adams turned the first spade at the groundbreaking.
It was quite a complicated project, engineering-wise. But that wasn’t the only hang-up. In a project this big, affecting so many stakeholders, there were a lot of conflicts. Workers from different countries didn’t get along and had to be separated. There were local complaints and resistance, contract confusion and disputes, competing goals, and so forth.
In the end, they finally finished the first 50-mile leg and cut the ribbon. There was just one problem. It was obsolete before it opened. The B&O railroad, which started at the same time, for the same reason – to compete with the Erie Canal – was already up and chugging along. The C&O was never finished. Today, it’s an interesting historical site. Meanwhile, the B&O railroad is still running in places under the CSX freight train system.
Obviously, the story is more complicated than that. But the point is, progress doesn’t wait for process. Progress can leave process back at the station. Especially in the Digital Age when progress happens every second. Much better if process gets on board and guides the train of progress.
That was our goal in Privacy Shield – to establish a process that would protect data privacy in a way that would reflect and promote, and not impede, progress. Within that goal, we recognized that the framework had to be flexible and open to adjustments as we went along. So a key element is the annual joint review mechanism. Working together, the US Commerce Department and the European Commission will monitor how the framework is functioning.
Legislative solutions often tend to be static. They reflect current realities, and best guesses about the future. In the Digital Economy, with technology changing every day, a patchwork of data privacy laws could be overtaken by progress before they’re done. Not unlike what happened to the C&O Canal. The Privacy Shield framework addresses the problem of static solutions by being organic and iterative. It’s a living document that we will review and improve in the future.
My second reality today is not new: In fact, the early 20th century industrialist Henry Kaiser captured it pretty well. He said, “Challenges are just opportunities in work clothes.”
Certainly, adopting and adapting to new privacy rules, regimes and requirements is a big challenge. It’s not easy or cheap. As practitioners, you know that better than I ever will. But we all know that some of our greatest advances in technology came from some of our greatest challenges.
Look at Henry Kaiser: He was known as the “father of modern shipbuilding” for a reason. During World War II, the challenge was to build cargo ships quickly. Back then it was hard to do because ships were assembled using rivets. But one of Kaiser’s associates visited a Ford assembly plant and saw the workers using welding instead of rivets. Kaiser adapted welding to shipbuilding, and turned out ships in an average of 45 days – some in just four days. And he changed shipbuilding forever.
On another front, Kaiser faced the challenge of quickly providing healthcare to tens of thousands of shipyard workers. Long story short, he set up the first group health plan in America – Kaiser Permanente.
Some in the media and internet discussion look at Privacy Shield solely as a challenge to work through. But I have seen something else. As I have travelled the country and engaged with start-ups, growing companies, and significant actors in the digital economy, I have been struck at the scale of the investment that US companies are making to protect privacy. Our companies are investing at incredible scale on technologies and services to make sure they can innovate while ensuring that they can protect privacy. And, the business sector is transforming data privacy protection from a challenge into an opportunity – with an entire, fast-growing industrial sector.
I call it the “Privacy Economy” – service providers, technologists, developers and others who are helping companies and others to protect privacy. TRUSTe is a perfect example. And most of you here are the innovators, developers, CEOs, and compliance experts in the Privacy Economy.
We need to find better ways to communicate all that you are doing, and all that US companies are doing to protect privacy here, and around the world. It is one thing to have rules and regulations, and it is another to be investing in technologies and compliance on this huge scale – and our investment in privacy is a market advantage that we need to pursue.
With that, I’ll close with a summary thought and then take your questions.
Not far from here, most of you know, is the legendary Pacific Coast Highway. It winds down from here to San Diego, with breathtaking views of the mountains, valleys and the sea. Growing up in Los Angeles, I’ve driven the PCH many times. It’s still one of my favorite places on the planet. A little while back I took my wife and four kids – ages 2, 4, 6 and 8 – for the first time. And while my kids have been all over the world, they still go on and on about that drive.
I mention the Pacific Coast Highway because, in a way, it’s like the global digital highway. It connects many different people, communities and markets. More on point, it demonstrates the old saying – that guardrails let you go faster. Some parts of the PCH are downright dangerous, with deadly curves and switchbacks. But drivers blast along, confident that if they lose control, they won’t go flying off a cliff. The guardrails are also flexible, designed to absorb impact to reduce injury.
The Privacy Shield serves a similar purpose. It puts flexible guardrails on the digital superhighway to protect data. And as a result, it lets commerce and communication flow even faster and safer.
With that, let me thank you again, and open up to your questions and comments.