Practice English Speaking&Listening with: Q&A at the CEPS-Google event - Part 1

Difficulty: 0

MALE SPEAKER: But I just wanted to raise three very

brief points.

The first one is that I don't want to say that there is a

conflict between security and data protection.

Because usually what most of our members do is actually to

ensure the security of the user's software computer

system and at least indirectly--

and many members actually provide software solutions for

direct protection of the data.

But we should actually rethink-- and this is actually

what we speak today about--

reconsider options.

It shouldn't be the case that when a company's protecting

its user, and is actually checking an IP address to

reduce spam to protect the periphery of a bank, to

prevent financial fraud, that this is considered to be

personal data.

Like the example you, Peter Fleischer, mentioned with a

lady with a red coat that you can recognize.

Because this data actually, before going to an ISP and

doing some checks for which usually you need at least some

sort of law enforcement support, is impossible

actually to make any use of it.

And we have actually today the conflict that IP addresses,

when security companies process them, are considered

to be data protection.

So actually in theory I have to go to the spammer, say I

will actually process your IP address, do you agree?

Oh, you don't agree?


I delete the spam.

And I deliver the spam actually to the recipient.

Second point is we have heard--

of course nobody has seen the draft--

that the e-privacy directive proposal from the European

Commission may include a breach notification provision.

We fully agree as well--

I disagree, Alexander, that has to be only encryption to

create sort of a safe harbor.

We should think about more openly to say, if a company

actually makes the data it has unusable to a perpetrator that

they shouldn't actually have to notify the data subject.

Because then we lose either trust in the internet or we

lose interest, as Peter Fleischer mentioned.

And the last point is I really would like to emphasize--

I don't know how many lawyers are here.

Could you please just raise your hand to show to the

people that Brussels is full of lawyers.

I am a lawyer.

So actually it's pretty full of lawyers.

MALE SPEAKER: That's pretty scary.

MALE SPEAKER: Please raise again your hand all of you

that always read any contract.

Always when you go shopping, you ask for the general terms

and conditions of the shops.

OK, no one.

So you see even lawyers don't even read the small text.

And we should actually not think we can force people to

read things and to be aware.

It's an option.

It's convenience, a quick easy convenience thing.

So don't be paternalistic.

This is just my call as a consumer, and not as a trade

association to make it [INAUDIBLE].

Thank you very much.

MALE SPEAKER: We collected a number

of comments or questions.

So there was a question there?

SIMON HAMPTON: Simon Hampton.

I work for the Time Warner.

I was interested by Mr. Hustings' remarks about the

importance of bringing third parties into helping enforce

data protection rules.

And I'm really optimistic that we'll see something along

those lines perhaps in the forthcoming changes to the

e-privacy directive.

And I think that would be very valuable.

But my real question was perhaps

more to Peter Fleischer.

You mentioned they need to rethink

the adequacy framework.

And you could argue that actually this is an area where

the data protection agencies have been pretty forthcoming,

starting from a fairly simple set of rules in the directive.

We have model contracts.

We have the safe harbor.

We have binding corporate rules perhaps not yet totally

willingly implemented by all of the regulators.

But there's certainly been some good

momentum in that side.

So you seem to be talking about an even

more radical change.

I wonder if you could say a bit more about that.


PETER FLEISCHER: Well, I'm happy to.

When you look at the list of countries that have been

formally declared to be adequate, it's a rather small

list. Argentina, Guernsey, and such other mega

powers around the globe.

As I think about that issue, structurally other very

important countries, that in my opinion have very

meaningful data protection regimes that look very

different from Europe, such as--

take the example of Japan--

would never be able to achieve adequacy

under this set of rules.

And I think the cause more broadly of

privacy is not well served.

Because if the idea is that a country has to meet this very

complex set of rules in order to be declared to be adequate,

and any country that takes a different approach cannot be,

I think we've made the mistake of confusing the principles

with the administrative application.

And I think the ambition is to have a much more inclusive set

of privacy standards for a much broader number of

countries around the world.

The idea that India would adopt something that would be

adequate under this set of rules is

in my opinion unlikely.

So we shouldn't use adequacy with-- the best shouldn't be

the enemy of the good--

as simple as that.

MALE SPEAKER: Can I jump in here and make a point of

adequacy is certainly not equivalence.

It doesn't mean do you look like me?

Do you have something which resembles the European



It's a functional test. We've been always very clear on this

that there should be a number of principles in substance.

And they should be put into effect.

There should be means of redress.

And they could be different.

It could be self-regulatory entirely.

So although the present list of adequacy findings is rather

limited, it doesn't mean that there is not a larger number

of laws around and arrangements around the world

which are in fact adequate for practical purposes.

So let's not beat around the bush.

I would agree with revisiting that framework.

Because we simply need more global privacy.

In the arrangements, we need to think in larger units.

Decisions on a national basis, and then adding up 27

decisions do not make sense in that new world.

There was also a question about IP addresses.

Amd it was related to spam.

And I wasn't quite sure whether you were

on the right light.

IP addresses simply as a fact are in many

cases personal data.

Because they relate to personal behavior.

In other cases, they're not.

But for practical purposes, this is the rule of thumb.

But what's the consequence.

You seem to suggest that is a disaster if

it is personal data.

But that's not the problem.

If you deal with something legitimate--

you were describing a situation which

was close to it--

then I would say go ahead.

But make sure that you do what is necessary.

And it may not be possible under these circumstances to

inform a spammer if it doesn't make sense.

So what's the problem really?

What was the point you were making?

I don't think there is a problem.

MALE SPEAKER: But there is a problem.

You have--

MALE SPEAKER: Well only if you argue on my new [? browns ?]

and enlarge the problems of the exception.

But there is not a problem.

Just go ahead.

And be realistic and no nonsense about this.

MALE SPEAKER: There is a problem.

Yeah, I think I can just clarify.

We have had actually the problem where member companies

have had actual data protection units knocking on

the door and saying what are you doing?

It's [? legitimate. ?]

And the case is--

spammers is just one case.

And actually this is a gray zone in many cases.

What we have is the case where you need to check IP addresses

at the periphery of a bank.

And that may be a perpetrator, but some cases maybe not.

That doesn't mean that you're actually targeting down the


But the processing alone of that IP address, checking it

against a blacklist, could actually be and is regarded to

be in some countries as a breach of

data protection laws.

MALE SPEAKER: Well the rules may apply.

But if your activity is legal and is legitimate, I don't see

really a problem.

We should discuss that in more detail.

But I don't think it's a major problem.

And I want to set this straight.

MALE SPEAKER: Any other question from the floor?

Yes, please.


The microphone's coming.


be well understood by the people on YouTube.

My name is [? Aoka ?]

[? Hafsma ?], former commission official.

I was actually very interested Mr. Hurstings' in several of

your ideas, suggestions.

I don't know whether they are already very concrete.

And particularly the one which the gentleman from Time Warner


the third party certification or auditing.

If I may take an example mentioned by Peter Fleischer,

if we listened to Peter today.

Your practices were amongst the best on the internet.

If I see cookies deleted--

I don't know whether you said deleted after two years or--

I always understood that you altered them and that others

actually delete them.

But that you didn't go quite as far.

So it would indeed I think be very good to have someone, a

third party, say OK, well what's happening here is good.

If I may be a little provocative--

I mean a couple of months ago there was a third party which

looked at search engines.

And I think privacy international ranked Google

last. How formal do you want to be on those third parties,

Mr. Hurstings?

I mean would you like to have criteria?

Is this the sort of third party you're thinking of?

Could you explain a little bit further?

Thank you.

MALE SPEAKER: The idea is mentioned in an opinion I

issued in July.

It's on my website.

You check it.

It's a reaction to the commission's policy paper on

better implementation of the current directive.

It is only a short text.

But what it refers to is that it would be a good idea-- in

fact, it is already happening in a number of member states--

that responsible companies ask ADP auditors, privacy

auditors, according to principles of that profession,

to check what they have, whether they are compliant and

produce third party evidence.

That would be very good.

Because if they demonstrate this and would dare to mention

in their annual accounts, in many cases these companies are

on the stock exchange, that this is their track record for

privacy compliance.

I think that would be an extremely powerful mechanism.

And DPAs would love to rely on that and of course check

whether it's correct.

So we don't believe this no matter what.

But it is an example of just increasing the stakes in this

online privacy world.

And I know that many companies would like to do it.

I don't think that the European community would want

to regulate this in detail.

This is as just a good idea.

We need to open up the system so that this can happen and

then competition will certainly take its role.

Because the leading privacy compliant companies would like

to show this.

That's the idea.

PETER FLEISCHER: We have hundreds of

millions of third parties.

They're called our users who look at what we do.

And I think we believe strongly in a technology

solution rather than a very expensive cadre of lawyers or

accountants to look into this.

So we're building a technology solution, one example of which

we've launched that's called web history that allows any

user to open an account and to see every single piece of data

that we hold about them, every search they've conducted,

every website that they've browsed as long as they've

been logged in through Google.

They can see every single element.

They can delete any element from the system that they want

piece by piece or the entire thing.

To me it's a technology enabling a level of

transparency such as we've never been able to see before.

We've already got it.

It's called web history.

Take a look at it yourself.

I think it's fabulous from a privacy perspective.

MALE SPEAKER: I agree with that.

That's a good approach.

But the link between the two is the architecture.

We need to have mechanisms to verify whether the

architectures is OK.

It's fine, of course, that clients can have access.

But you need to be able to find in the information

infrastructures that this is what it should be.

And companies like yours would like to be able to demonstrate

that-- just not in a letter-- but

present third party evidence.

And that's the idea.

You can in addition to that increase transparency.

That's what you do, an open door policy.

But the two need to be in combination.

Otherwise, there is insufficient trust.

MALE SPEAKER: Any questions or further comments?

There is one here.

Yes, this girl.


Interactive Advertising Group.

Last month it was reported that Peter Fleischer was

calling for a new global convention on privacy.

And I'm just wondering what the reaction has

been to that so far.


Well thank you for that question.


I'm glad you noticed.

The reaction has really been quite positive.

Because what I was doing was pointing out a series of

technological tectonic shifts that I think have occurred and

that do present some fundamental challenges to the

regimes of privacy that are in place and the ones that are

lacking and need to be in place for

these broader issues.

From my point of view, what we're trying to do is help

contribute to a policy reflection that will help to

set the foundation for this five years

from now for the future.

These things tend to work slowly.

But they're urgent.

So it's not just what do we do today in terms of compliance,

but what do we collectively do in terms of building the

foundation for a successful internet in the future?

And I think the reactions have been extraordinarily positive.

I would say that we're just one learning from all of this.

Multinational companies like Google, we already operate

everywhere in the world.

This is not about US or Europe.

It's about operating around the world.

We're not not European.

We're not just American.

We really are global actors.

Because we have to be.

Because we have users around the world.

And because that's the nature of the global internet

architecture in particular.

And I think people are starting to see that we need

to rethink concepts.

Let me just give you one example.

The internet, I think, is the most fundamental revolution in

data collection and data transfer since the development

of the printing press.

Now if the most fundamental revolution in the last 500

years is not going to present some challenges to traditional

notices of data protection, then I don't think we're

challenging ourselves to think things through again.

And I think that's been the reaction, far be it from one

company to suggest how exactly things should happen and

through, what bodies, whether it should be via a convention

or via other mechanisms, just an extension of the OECD

principles and recommendations.

We're not getting into that.

That's not appropriate for Google.

What we're talking about is technology revolutions and the

challenges on the internet.

And I think that's the way it's been heard.

And I've been absolutely delighted.

The Description of Q&A at the CEPS-Google event - Part 1