15 SEPTEMBER 10
OPEN FORUM 5
ICC'S POLICY AND PRACTICE WORK
ON DATA PROTECTION AND PRIVACY
Note: The following is the output of the real-time captioning taken during Fifth Meeting of the IGF, in Vilnius. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the session, but should not be treated as an authoritative record.
>> ANDRIUS ISKAUSKAS: Good morning, everyone. First on behalf of the Lithuanian business committee, I would like to welcome all of you to Vilnius, to IGF, and this special ICC section on data protection and privacy.
As a lawyer working on the issues of information technology, I see the challenges faced by business, policy makers and users as they deal with data moving across borders. No single entity can manage things by themselves.
I am pleased that ICC has organised this special session to showcase the tools it has developed to support the movement of data across borders and to address data privacy and protection issues.
Knowing more about these best practices can help us policy makers, businesses, and users. In everyday work, I notice that many businesses, at least here in Lithuania, see the data protection and privacy regulations requirements as addition at barriers to their business and treat it as formalities.
The governmental institutions who are supposed to deal with the data pro tech also focus more on enforcement than on cooperation with businesses. So I am sure that such initiatives as those of ICC are able to help change the situation. And then without any further ado, I would like to give the floor to the moderator of the session, Ms. Ellen Bacler, who is the executive director of public policy at AT&T.
>> ELLEN: Thank you. Hello, everybody. IGF is founded on the idea that multistakeholder dialogue can bring positive, tangible result. And today we're going to talk about one of those results from the multistakeholder collaboration that ICC and governments have been going through on privacy to create some tools for companies to implement the privacy protections are in place. We hope it will show how we can work together as well as demonstrating some of these tools for privacy.
The ICC, is the international chamber of commerce. Many of you are familiar with sharing the prospective business. This is an example of how they work to help businesses and governments streamline the implementation practices on some of these policies that can be complicated and make it easier for businesses to both comply and to invest in the various countries where we want to do business.
So you'll hear today about the details of that work from, first we'll hear from Christopher Kuner, who is a partner at Hunton & Williams. He will tell us a little about the task force and the ways that he has worked to increase the efficiency of transport of data flows.
Joe Alhadeff, from Oracle, will talk about the privacy tool kit itself. And Zahid Jamil, who is right now an empty chair, he will be joining us shortly, he is another session. And he'll talk about the way he's used these tools in Pakistan and how that has worked for a more developing economy.
And we will if you have a clarifying question, feel free to ask each speaker after they make their remarks. And then after everyone has spoken, we'll have a broader discussion. So with that, I will turn to Christopher.
>> CHRISTOPHER KUNER: Thank you very much, Ellen. And welcome to all of you. And thank you very much for coming to our open forum. We're very happy to have you here to tell you something about the work of the data protection task force of the International Chamber of Commerce
My name is Christopher Kuner. I'm the chair of the task force. And I'm here today to tell you a bit about our work to explain not only some of the specific work we do but to give you an idea of what our purpose is, the kinds of issues we're interested in and what sort of goals we have in our work.
The ICC, of course, is an international business organisation head quartered in Paris but it is a global organisation and has national committees in dozens and dozens of countries all over the world. It's also quite an old organisation, going back to the 1920's. And you probably have heard of ICC in other areas, too, the court of arbitration, work on documentary credits, etcetera. But we've become very active also in ePolicy issues. Our task force has existed for these to 30 years. We're probably one of the older business groups that have dealt with data protection and privacy issues.
But of course, data protection and privacy is an issue which is not any more a niche issue. It's an issue of very broad interest and importance to business. And really for businesses all over the world, for businesses in every sector, the management of and processing of personal data is absolutely crucial in order to survive in the globalized and networked economy.
In relation to this, of course, governments have passed now regulations dealing with how data may be processed and controls, processing of data in order to safeguard the rights and the interests of individuals. And this is what we deal with in the data protection task force.
I would stress, these sort of rules and regulations have come all over the world. Of course, the best known such rules probably are those of the EU and the EU directive. And we do deal a lot with different EU related issues, but we're not an EU focused organisation at all. We really try to focus on issues that arise all over the world as much as we can. I will give you some details of those at points later on.
Of course, data flows is one of our major focuses. I was recently doing a study OECD. I discovered over 60 countries in the world that have regulations on the transport of flow of personal data. And many of them are in Africa, South America, in the Asia Pacific region. And data protection regulation is spreading all over the world. Even if you don't deal with it now in your business, I can predict you soon deal with it. I think it's also important to stress that we at ICC do not see data protection and privacy only as a hindrance to be overcome. Of course, is regulation is not properly focused, it can be a hindrance, but we also see it as an enabler for electronic commerce. I think that experience has shown, since the internet has become widely used, that it's necessary to have strong privacy and data protection, that individuals demand this. Governments demand this. So it's also in the interest of business to appropriately protect the privacy and data protection of their employees, of their customers, of consumers and individuals in general.
We try to keep that in mind, also. We try to aim for appropriate protections for privacy and data that allow business to thrive and to promote growth while at the same time protecting the interests of individuals.
We are, as I said, a global organisation. We focus more on issues of a global nature. We tend not to get so involved in individual country issues. So we don't so much get involved if there's a particular legal law being proposed in a country. We try to look at issues that affect global business, that affect cross border business. And we also try to take a long term view of issues. In other words, we don't just go in and leave quickly, but we try to really establish long term relationships with regulators, to deal with issues that have a long term impact on business because as is true with all organisations, we have limited resources we have to focus. So we try to take the long term rather than the short term view.
We're also not a lobbying organisation. Of course, we have discussions with regulators, but we're not really a lobbying organisation. We try to put forth positions but not in terms of going and trying to spend a lot of time on specific lobbying interests.
In the last few years, we have been trying very much to emphasize and reach out to more developing countries, to countries not in Europe and the U.S. Sometimes I think there's a mistake people make that they read many things in the newspaper and they think that everything having to do with privacy is social networks, disputes between the EU and the U.S. or the European Directive. And that's not at all true. We see this as a global issue. We have in our task force actually members from all over the world. Our members are both individual companies and business associations. So for example, at the last task force meeting, we had members from a number of developing countries. I recall, for example, members from Iran, from Pakistan, from Thailand. We're growing more and more globally. We depend on these members to help us sell our positions in their countries and to inform us about what is going on in their countries that we need to be involved in.
We also have, I think, two main strands of work that we do. First of all, we articulate policies for global business. And secondly, we try to develop actual tools for business. I think as I said, if you think of what ICC is famous for outside of privacy, it is for things like uniform, customs and practices for credits, documentary credits, arbitration, things that are really practical tools for business to use. So we do articulate general policies but we also try to take the policies and make them more concrete.
Many times businesses say to us, well, this is a fine position but what does this mean for me in practice? What is really the practical impact? How can I use this in my day to day business. And this is why we try to then take the practical issues and put them, turn them into policy papers and at the same time, take the policy issues and relate them to the actual day to day work of business so that we try to cover both of those areas.
Now, I'm going to give you a little bit of an overview of some of the work that we're doing now, some of the successes we've had, some of the projects we've had to give you a bet of a flavor. Over the last few years, one thing that we've successfully brought to conclusion is proposing and negotiating with the European Commission two sets of standard contractual clauses for the international transfer of data.
You may know that the restrictions under EU law in transferring data and that one way of dealing with these restrictions is to conclude contract clauses with parties to whom you're going to transfer data outside of the EU. And the EU has drafted and promoted standard clauses for this purpose.
These clauses can be a great boon to business because they mean that the clauses have been standardized. They don't have to be individually negotiated in each case by business. However, we felt that the original clauses approved by the Commission did have room for improvement in that they did not take into account business reality sufficiently. Therefore, we made a proposal to the Commission, we, together with some other business groups, but this was really, I think, we took the lead on this and did the vast majority of the work. And in the multi year process, we successfully negotiated approval of these clauses. They were approved by the Article 29 working party finally, in two formal decisions by the European Commission.
I think that it shows very well, first of all, our dual issues of looking at issues and turn them into concrete tools. These tools are now freely available on the internet. We don't sell them. They're simply something that is out there. They're on the Commission Web site. And companies can now use them, it is generally recognized that these clauses do provide ability to transfer data while at the same time protecting the processing and transfer of such personal data.
We also proposed and had accepted by the Article 29 working party a standard application form for binding corporate rules, or BCR's, which is a type of corporate policy that companies can adopt in order to facilitate the transfer of their data globally.
And I think I can fairly say, there's no other business group which has had these kind of successes in terms of promoting global data flow, has taken the work to draft these documents and then in a multiyear process has negotiated them and had them approved by the relevant European institutions. So this is a very good example of the kind of issues we work on in our kind of approach. I think it's a serious, careful approach. And we also, as is shown by these documents, we have a very good relationship with many data protection regulators. And we regard them as our discussion partners. We don't regard them at all add adversaries. We work with them. Of course, we don't always agree with them on everything, but we do try to work with them because I think when business cooperates with regulators, then both sides win, both business and the regulatory side.
Now as I said, we do both business tools and we do policy documents. Probably the major policy document that we produced is the privacy tool kit. I have a copy of this here. But it's also freely available on the ICC Web site, which you can go to. It can be downloaded. And this tool kit is a result of a trend, as I said, that we identified that there are many countries now which have not had privacy and data protection law and are now in the process of adopting it, or maybe they have such law but they are in the process of revising it. And we thought it was very important to have a coherent set of principles articulated which would allow businesses to go, when they talk to their governments and explain the business positions on different issues dealing with data processing and global data flow.
So this tool kit is a document which can both be used by companies in talking to their governments and in governments themselves in look at issues such as, what is the effect of information technologies on economic growth; how can you structure privacy protection so that they also allow business to function and economic growth to occur; what are some of the major privacy principles that legislation should contain.
And this is all contained in a very concise, clearly drafted document of about 20 pages. So this is sort of maybe the groundwork of our positions. And most of our position is reflected there.
We also took a position on the so called BASIL 2 principles, which is a set of sort of risk management principles for the international banking sector because we realise that there are many conflicts between data protection and privacy law in other areas, where one set of regulators passes regulation, for example, in BASIL 2, there is a great need, requirement by banks under these principles to collect personal data, while at the same time banks are restricted from doing this by data protection law. There are many areas of conflict. I think this generally results from regulators not realising that they may be passing regulation which has a conflict with privacy law.
We formed a subcommittee which looked into this issue. They drafted a position paper on the BASIL 2 principles on how they relate to data protection law and it is on our Web site. There is the BASIL 3 accord. Maybe we have to revisit this and have an updated version.
Business cannot be put in the position of having to choose between privacy compliance and other compliance. This is intolerable and it doesn't further the interest of individuals. We have a very strong working relationship with a number of organisations that are active in privacy and data protection law. My colleague, Joe Alhadeff, will talk about the APAC, Asia Pacific group, and the fact that we've been the only business group that has been involved in the APAC group and has gone, as far as I know, to every single meeting, someone from ICC has been there.
So we've really been carrying the ball for the business sector in the APAC and established a strong relationship with them. We also have a very long standing and very valuable relationship with the Council of Europe, which of course has passed the first legally binding international instrument on data protection, which was the Convention 108. And we've been an observer in the Council of Europe TBD group, which is their data protection group, for many years. As far as I know, we're the only business group that has formal observer status.
We've been attending their meetings quite regularly and have been involved in a number their projects and value that relationship very much and value the work that the Council of Europe does. And of course, the Council of Europe has become a global organisation. It's much more than just the EU.
Of course, the European Commission, as I said, in negotiating the contract clauses were quite involved in the developments in Brussels. I'm coming to the end of my planned intervention of about 15 minutes. I'd just like to conclude before passing the floor over to Ellen to say that I think ICC is really the business organisation that has the interest and the expertise to cover data protection issues on a global level. As I said, we also are in this for the long term. We don't just move from one issue to another quickly. We identify an issue and try to stay with it and really work in the long term. We try to build relationships with regulators. We also try to keep a global perspective so that we're not just looking out for the interests of developed counts. And we also countries.
I'd like all of you to go to our Web site. I'd like to you join the ICC national committee, you can come to our biannual meetings in Paris or you can also participate in telephone, and in this task force with a regular telephone calls, conference calls with people from all over the world so you don't actually need to come to Paris.
So please look at our Web site and work with us. We'd be very happy to work with you on this. Thank you.
>> Ellen: Thank you, Christopher. And we'll turn to Joe.
>> JOSEPH ALHADEFF: Thank you. And I'll try to use the concept that mutually assured destruction and speak louder in the people in the room next to us and see if they can escalate as far as we can escalate.
I'm going to do I'm going to have this discussion from perhaps a little more of a practical point than Chris did, and it's not just the value of participating in ICC vis a vis the regulator but actually also participating in the ICC for the value that business derives from interaction with other business.
One of the reasons this is important is because the privacy landscape as we know it is changing the. The OECD guidelines are under review. New instruments are being planned. This is a time when business has to be an active participant in this dialogue with various intergovernmental, regional, legislative organisations that are looking at the way privacy law works. Even in the U.S., there are reconsiderations on what are the priorities of privacy, which was evidenced by the Department of Commerce notice of inquiry and consultation.
So this privacy is in flux within the next couple of years more than it's been in a long time. Business needs to be well informed about what that flux looks like and needs to coordinate its positioning related to what it's going to talk about related to these issues so it understands the impacts of potential changes and knows how to provide information to those people drafting regulation or looking at new guidance on what may be unintended consequences from drafting. And that's a very important role that ICC plays very well.
Some of that role is outlined in the privacy tool kit. And I'll I'm not the attractive one but I'll be the model holding it up. And just to give you an idea, the chapters of the tool kit talk about the role of ICT in economic growth. So again, thinking about privacy as an enabler of ICT, not privacy as a tax. If you think about privacy only as a compliance obligation, you miss the value that your company will get out of using privacy as a differentiator and privacy as a basis for driving customer satisfaction.
So privacy can be a positive, can be a differentiator, and can be one of the ways in which ICT's deliver their promise of growth because absent trust, ICT's will not reach the potential that they have for growth.
The chapters continue with the benefits of privacy, the functions of privacy, the principle, one of the most important and critical thing is the implementation of privacy. And it talks about the use of codes, the use of contracts, the use of seals, and the concept of individual empowerment which includes the concepts of how technology may enable privacy. So you have the concept of privacy enhancing technologies. But often these are things like anonymizers, and people look at things build for privacy.
We have to look at the role of privacy in a more enabling context so you have the context of privacy applications technologies. Ice the context of a database. There is a lot of security functionality in a data it is base tis only that if you don't think about the privacy impact that things can have. So the concept of how to consider technology and the privacy impact of technology is tremendously important.
And then lastly, and this is the part of the tool kit that perhaps is most directed towards the regulatory community, concepts of regulatory guidance and action items or suggested paths forward rounds out the tool kit.
So that's nice. It's a nice tool and it's great for use in governments, but what does this really mean for business? How does a business think about privacy and what do some of these ICC instruments help a business do? Well, when you think about compliance, and I'm going to use the directive as an example, then there are various ways in which you can comply with the directive. If you're an American company, you may consider the safe harbor which is a method by which you can transfer between the U.S. and the EU. But almost all companies that are global in nature cannot cover all of their transactions through the safe harbor because you get support from third countries that go directly to the EU and other information that passes outside of the safe harbor.
And model contracts and binding corporate rules become one of the ways to think about those issues. As we look at those concept, it's the work that the ICC has done which has really streamlined and facilitated the way you look at that because most of the model contracts that are signed or a number that are signed by businesses are actually the EU approved ICC model contract clauses that have been developed.
So it's an important compliance tool. The binding corporate rules, the work the ICC has done to facilitate the way in which you apply and consider the binding corporate rules, takes away one of the major hurdles to the BCR's, which is understanding how you can functionally work the administration of the binding corporate rule. So that has helped streamline the concept of binding corporate rules. And as Chris talked about, the relationship between the ICC and the EU makes them an interlocutor as the various aspects of the BCR are further developed.
On the international side, ICC as Chris pointed out as an observer status through the clearing group of APEC, which has enabled it to be a proponent and driver of the APAC privacy framework and what is now going on as the path finder project. In APAC, when have you a project that is not subscribed to by every APAC economy, it's called a path finder project. There are currently 15 of the APAC economies that are participating in this path finder to look at how to develop cross border privacy rules, which is really in many ways the first practical implementation of the framework.
Right now, we're looking at ways in which companies subscribe to these cross border privacy rules, ways in which enforcement authorities look at these cross border privacy rules and in many ways both the binding corporate rules and these cross border privacy rules are examples of the new paradigm of how you think about accountability in privacy. And accountability is really one of the new concepts which we're likely to see in the revision of the directive as well which underpins the Canadian privacy law which is at the heart of the APAC privacy framework and which is also inherent in the OECD guidelines.
This is the idea that perhaps one of the things you have to figure out as a company is how to honour your obligations as information moves through global information transfers. And the concept of looking at contracts and some of these practical tools as the methods of accomplishing the way in which you find these compliance paradigms is very important and again ICC is at the heart of negotiating these and trying to understand how they apply.
And one of the things, as we look at these accountability paradigms and as these concepts are defined, there are significant potential or there is, rather, significant potential for administrative nightmares, overly burdensome regulation which is well intended but is perhaps not best tailored to be effective and provide the most positive outcomes both for privacy and for business.
So these are the kind of things where the discussion is key. The ability to provide information, the ability to have discussion is essential. I think as we think about the various processes that have gone on and I'll refer to the Barcelona process which was the progenitor to the Madrid resolution on privacy standards, it was a very broad consultation. It was a very broad dialogue that helped inform the work product that was going on to try to exactly avoid that potential for unintended consequences.
And the ability to create for governments coalesced business opinion is very important. It is very difficult for policy makers to hear 1,000 different businesses tell the same story in slightly different ways. That is not actually a useful contribution to the regulatory process. That gets factored in as noise in the environment.
So the ability to coalesce that, the ability to join together and what makes ICC unique in this process is the ability to do that across lines of business, across disciplines of policy, and across cultural and national boundaries with different legal precedence taken into account so that you really are getting this whole story put together with multiple viewpoints represented across multiple interest groups.
So when you think about the way the ICC is organised in something like the EBID commission, you have the concept of people who are security specialists. There are people who are mostly interested in IP. There are people who are telecom specialists. There are people who are network specialists. There are people who represent the ISP community. You really have the rich whole of all of the various interests that have to be considered as you move forward because privacy is a horizontal discipline. It is context sensitive, and it is important to consider from all of these dimensions.
So without an organisation that has that richness of experience across nationalities, across disciplines, and across professional expertise, you only get a piece of the picture. And then you are also susceptible to having the unintended outcomes but not having the appropriate consultation.
So as a company, we see extreme value in having these issues discussed in the ICC because of that ability to get those broad viewpoints put together in a consensus statement that truly does represent a cross sectoral business point of view related to how to move these issues forward.
I think the last thing that perhaps one can talk about is the theory of privacy as a multidisciplinary approach. We have to think about privacy in the context of an ecosystem. And it's a changing ecosystem. So not only is privacy in flux at moment but many of our business models are in flux at the moment. Whether you're looking at the advent of cloud computing and the use of it, whether you're looking at global sourcing, whether you're looking at a number of other issues, we are looking at situations where expertise is now managed globally, where service is provided globally, and where interactions, whether consumer to consumer or consumer to business, business to government, consumer to government, start happening at a more broader and global bases than ever before.
As we look at this new context of interaction and as we look at the new ways in which these issues are getting taken care of, many of the principle, if not all of the principles, still apply but we have to understand how to apply them. So the idea of notice is still a valid idea, although how you would accomplish notice in new technologies becomes different.
For instance, there's a notice that you can accomplish on a device with a screen this size. There's a notice you can accomplish on a device like a laptop. But then there's a notice that you have to take into account on something like an RFID tag. That's significantly smaller than any of these things. And the best you could hope for at that point is a set of symbols that give you the idea of what the privacy impact may be.
This is not changing the principle of notice but it's changing the way you have to think about its application.
There's also the concept that perhaps you have to think about concepts of how uses of information may change. Again, the uses are perhaps much broader than they used to be. You have to consider how to apply principles that exist today related to collection and related to use and how you may think about those. Concept, some information may be beyond the ability of a person to concept. How do you apply those principles related to those places? So again, I think in many cases, one of the things ICC helps us to think about is not whether we need Nuprins but rather how we think about applying principles in the context of new technological applications.
We also have to think about countries that may have less of a background in these issues. Developing economies that may not had a long history of privacy or economies in which collective cultures have not really engendered the same kind of privacy concerns. Dialogue with ICC is tremendously helpful in helping to raise these issues and understand how to resolve and address these issues in a collective way with global impact that also has national resonance because it's nice to say you have a global position, but that global position has to inform a national implementation of that position.
And again, the ability to have broad representation across cultural and legal frameworks is tremendously important in considering how these issues are dealt with and how solutions are proposed and how to consider the problems that may occur at the national level or the local level or the regional level or, in the case of some business, at the sectoral level because new business models are sometimes in opposition to uses of information that predated them.
So I hope this gave you a little bit of the flavor of the types of things where it's useful to have the conversation of why ICC is uniquely positioned to have that conversation. And I think it might be now time to turn it back to Ellen and Zahid for perhaps a little discussion of that national implementation.
>> ELLEN: Thank you, Joe. Before we do that, I think we have a question from a remote participant. Heather?
>> HEATHER SHAW: We have a question from the Albanian hub. Joe, I think in the context of ICC's work on APAC, there was a question of which enforcement authorities are typically involved.
>> JOSEPH ALHADEFF: Sure. I have to say, occasionally it's disquieting because occasionally they're using the camera behind me and I'm taking a look at my bald spot in a way that I don't really appreciate it.
The conditions that you have, the agencies that participate are two kinds. You have the government policy making agencies which participate, and you have the data protection authorities which participate. The policy making agencies do not see themselves as having an enforcement role but are important because, in some case, implementing the framework may require adaptation to national legislation or adaptation of national legislation.
The enforcement agencies which are the data protection authorities from new see land, from Canada, from Australia, from Hong Kong, among others, who are active participant, the agencies's from Mexico who are new charged by the Mexican data protection law, the Federal Trade Commission in the United States, and kind of the nascent developing authorities are all discussing methods of enforcement cooperation within APAC.
Interestingly, there's a European analog to this work, which is the enforcement coordination group that is working at the OECD, which is chaired by the data protection commissioner from Canada and which has participation from a number of the European authorities. And while there isn't a direct and complete linkage in the enforcement cooperation between APAC and the OECD, there is the beginning of using similar instruments and approaches and unified points of contact across that enforcement cooperation.
So that is also kind of a both evolutionary and revolutionary nature of the APAC process.
>> ELLEN: Thank you. Is there another question, Heather? No.
Now we turn to Zahid Jamil who has joined us from another session. He will talk about his experience in using these tools in Pakistan
>> ZAHID JAMIL: Thank you so much, Ellen. I'm sorry to be a little late. I'm going to talk about the can you hear me? No. Let me try to move this a little further. Is that helping? I'll see if I can get this close enough to me. Can you hear me now? It is better.
What I'll be speaking about is the way in which certain developed country businesses or, in fact, ICC and other groups actually help Pakistan on the issue of privacy and develop certain rules and frameworks within Pakistan to assist them, to enable a developing country which used to and does still have outsourcing work being sent to it to be able to access markets in the EU and other countries. That would be an example mentioned as well.
I'm a lawyer from Pakistan. I am based in Pakistan. I work with the IT association there. One of the basic things that IT companies in Pakistan do basically is to obtain outsourced, word process data for North American or European or other countries, etcetera.
There were obviously, there became a time it became a sensitive issue as to the transfer of personal data, cross border transfer of personal data for processing to third countries. And generally speaking, the European Union as you obviously know, they said unless there are adequate safeguards, outsourcing to those nations would not be allowed under the directive.
I as a lawyer being part of a national committee locally in Pakistan which is made of Pakistani corporations had the opportunity to go to Paris to the ICC, and in their meetings attend after certain processes certain task force on privacy data protection.
At that time when I interacted, I had no idea how this may necessarily help me later on. But a year on having participated in this task force, suddenly Pakistan decided that they needed to have a very strong data protection legislation in the country. And the model that was followed was literally a reproduction of the European directive. The request for this came from a certain corporation, a company, Pakistani company, saying, we have difficulty sourcing European markets. So it is not going to be possible unless we have the proper legislation law in Pakistan protecting for privacy protection. At that time that time when the legislation came out, the IT association in Pakistan, which once we had some discussions, was quite concerned with the fact that 70 percent of its outsourcing market is actually with the United States. Companies in the United States would actually be impacted negatively, prejudiced.
Even though they are having a lobbying campaign, trying to explain to the government a different approach so that Pakistan could continue to and could, in fact, source markets not just in the United States but also the European Union. And in that process, what was very useful to have the corporations and task force, and Christopher and actually Joe were involved in the process in Pakistan and the process of the export board to explain to them the pros and cons of such a legislation.
And with heather making some comments was extremely helpful as well. Through that process, a certain understanding and awareness arose within the ministry in Pakistan as to why having a purely exclusive European privacy model may not be the best way to go forward and they need to be flexible so they can source both markets.
As a result of that, that draft legislation was basically shelved and they started work on a new concept. I come to the next stage. Now, the developing countries's assistance to Pakistan in that capacity, provided to the ICC a concept of standard contractual clauses or model clauses of the ICC as the answer to be able to continue to work with the European union and allow for data to be transferred from the European union, personal data to be transferred to Pakistani companies so it could be processed.
And so it was the ICC's efforts that led to them to take that standard contractual clauses and also the binding corporate rules and issue them in a notification as a guidelines to the local IT industry to try to use so they could source these markets.
The story was fairly interesting. We had an ICANN meeting in Paris where one of the ministers that was a member of the GAC had participated. This was an excellent opportunity for them to meet with the task force. Many went back within 30 days of having gone back from that meeting, this is an idea of how IGF can help, went back to Pakistan, immediately issued notifications and they came into effect.
The practical impact of that is that there was a certain corporation in the United Kingdom processing certain data in Pakistan which would have been in very serious violations of data protection or privacy protection in the UK, but had they not adopted these and signed on to what the standard contractual clauses so they were safeguarded from what was effectively and ongoing investigation and show the clauses and say, we complying with the law.
A U.S. based company, which is part U.S., part Pakistani, wanted to source European markets and start business there, actually.... could you give us more information, because we want to utilize this methodology. So it gives you an idea of how developing country businesses and the ICC or the caucuses don't just help large Fortune 500 corporations but can actually have a very, very useful impact upon developing country IT businesses as well. And I think that is an example, a model to be followed of basically positive, cooperative engagement with both local, IT corporations and associations as well as government in those developing countries and to then come up with what basically would be an international best practice standard which can help not only the developing country but also the developed country to ensure security and to make sure they are complied with.
So this would be an example of developing countries helping us but us also developed countries helping developing countries but also developing countries by taking the outsourced work, doing it at a cheaper rate and doing it securely. So I thought I would leave that as an example of something that is a nice sort of nugget of an outcome of the IGF processes and in cooperation. Thank you for the opportunity.
>> ELLEN: Thank you, Zahid. I think we have another question from the remote participants. Heather?
>> HEATHER SHAW: A follow up question. Someone came in a couple seconds too late on Joe Alhadeff's presentation about the OECD enforcement cooperation group. There was a question again from the Albanian hub, if you have to be an OECD member to participate
>> JOSEPH ALHADEFF: It certainly helps. I'm not sure if it's an exclusive club. I know that the material that comes out of that cooperation group is certainly accessible to non OECD members. And I'm sure there is a desire to make sure that it is, the endorsement cooperation will happen across not just OECD members economies but in terms of whether you can participate in the commenting or drafting on the agreements related to enforcement cooperation, that may, in fact, be limited to OECD members and specific observers.
Participation after that in actual enforcement cooperation is likely to be expanded beyond just OECD.
>> ELLEN: Okay. Are there any questions from the room? We have lots of time left. Are there any questions people have for the speakers? Christopher, maybe you can tell us I'm sorry. I do have a question.
>> Audience: Holem, from industry. What is your privacy instruments as a tool for help giving better privacy solutions to government and businesses?
>> I think privacy impact assessments are important exactly as you pointed out as a tool. In fact, at the moment, the European Union is going through an exercise with the first really EU based privacy impact assessment which comes out of the RFID guidance in March actually, May of last year where there was a requirement that RFID systems go through a privacy impact assessment.
And it hasn't been issued publicly yet, but there is a drafting group that's working in conjunction with Article 29 on the development of how this privacy impact assessment would work.
I think what's important to think about is that the privacy impact assessment often focuses on the technological impacts of a system. And at the company level, one of the basic utility of some of the practices ICC has looked sat they also go beyond the technology to think about the business model and the way in which you think about collection and all of these other aspects which sometimes are beyond the scope of what a PIA actually does because it's more focused on a technical implementation. So I think as a tool, privacy impacts are use film.
One of the things that the guidance misconceives is the resources available for authorities to review PIA's because in theory, the PIA's are meant to be filed with authorities. And I think authorities have a little bandwidth to look at these in the absence of a question they're looking to answer or in the absence of an investigation that they're participating in. One of the best ways for a PIA is used is for a company to determine whether it is a system that's useful and ready with the possibility that an authority can ask to see the results of that if they have a question related to the system or if there's an investigation related to the system.
But I have think you have to worry about the burdens that filing may create on both sides. And that's one of the issues that's probably up for discussion in the European PIA context
>> CHRISTOPHER KUNER: I agree with what Joe said. I think you can go to this term, first of all, it's a term of art which is used as a specific kind of filing or documentation such as with the RFID proposal in the EU. However, I think it's much broader than that. You can also think of it as something that a business should do in every case in general. In other words, if you're going to initiate the processing of personal data, you need to do an internal privacy impact assessment. This isn't necessarily a formal procedure. It doesn't mean that you have to get authorization. But you should always consider what are the privacy issues because if you don't consider them early on, you may proceed down the road, start to implement the project and then realise very late or maybe even after the project has started that a privacy or data protection issue exists.
And this is, I think, fundamental to some of the products that we produced. For example, the standard clauses make it very clear that before you transfer personal data, you have to be in compliance with the local data protection law. And you have certain obligations to consider what is going to happen to the data after I transfer it. You have to know who you're transferring it to. You have to have some level of assurance that they're going to provide adequate protection.
So this is something that is really on two levels, it's a very specific level for something that is being developed in different bodies as a kind of regulatory filing. There may be a place for that, although I agree that it's certainly this is a good example of something that shouldn't be too restrictive or bureaucratic because it can really stifle a lot of general useful business activity. It's a code word for something business should do in every case, which is always consider privacy and data protection early on in the process. And you will end up saving a lot of time and trouble later on.
>> JOSEPH ALHADEFF: The one thing I forgot to mention is what's being considered now at the level of the guidance for the RFID is actually a privacy impact assessment framework. And that's an important concept because it recognizes that companies may need to do privacy impact assessments in a way that is tailored to their needs and their systems and the framework is just making sure that the elements are all going to be there but not specifying the way in which it's done or imposing a specific methodology of thousand do that but making sure that they all meet general requirements of how you should think about this: how to do that.
Imposing a top down detailed set of questions is unlikely to be functional or practical.
>> ELLEN: Any other questions? A quiet group. Christopher, maybe you can tell us a little about any work, future work you expect from the Committee in this area
>> CHRISTOPHER KUNER: Yes. Thank you. I think that the future work will follow the general themes that I outlined, in other words, looking at global issues. We will certainly continue to look at the issue of transborder data flows because as I said, there are a growing number of countries that are passing such legislation. And I think there's going to be an increasing need for tools in the area of transported data flows. We've seen we've done quite a bit of work in the task force with regard to the EU, the standard clauses and the BCR's. Of course, there's a lot of development also going on with BCR's.
We have been working on a paper on BCR's to give some examples of ways in which the process for approval of BCR's could become more flexible.
We are certainly going to follow, I think, something Joe referred to which is the fact that this is a crucial area, a crucial time now for privacy in that many bodies are rethinking or reviewing the frameworks for privacy protection which they have had. It's not just a matter of new instruments being developed but things like the EU directive 9546, the OECD guidelines, now the Council of Europe Convention 108.
I think all of these things are being looked at again because they were approved in a period when really the internet did not exist as a mass phenomenon. And they have proved remarkably resilient. Many of their basic principles, I think, continue, all of the basic principles continue to be relevant and valuable. I think many government bodies realise there needs to be a reevaluation because we've seen a fundamental change until the way data are processed and the fact that global transfers have become ubiquitous. There is this ongoing review of different instruments, also in countries, as Joe said even in the United States now, there's quite a lot of activity.
So we will continue to follow different legislative initiatives going on in different regions and provide input on that. We're also going to try to work more and more, I think, with developing countries to try to make it clear to them, this is really a way that they can energize their IT sector by adopting protections from privacy which also allow for business flexibility and that by doing that, they can take advantage of the internet economy.
So we've had contacts with some developing countries. We want to come more and more of these like IGF, present our work and reach out to people and also find more and more people like members who can go back to their own countries and work in their countries.
So those are just a few things. I mean, I could go on. I think another area we're going to look at, just to conclude, is conflicts between data protection law and other areas of law. As I said, this is really an intolerable situation which is developing in many areas where there's one burden put on bin set of regulation and there's data protection law says the exact opposite. We need to find a way to resolve these sort of conflicts so that both interests are protected. And we'll continue to look to at that. So back to you, Ellen.
>> ELLEN: Is there anything else, any questions? Yes, Joe is going to ask the audience a question
>> JOSEPH ALHADEFF: I've never been shy about these things. It strikes me that we have a fairly broad representation in the room from what looks like perhaps a number of different countries. And I was just wondering if there are issues happening in your country that you haven't heard discussed because it would be an opportunity for us to also learn from you if there are topics we should be considering that haven't yet been brought up by us.
So I would like to take this opportunity to learn from the collective in the room as to whether there is something in your country or in your organisation that is an issue on privacy that you'd like to raise and see if it's something we're dealing with or not.
>> I'm Deepak from India. In India, two things. One is that there has been some is it on? There has been news about certain things about lawful interception, monitoring that type of thing. Also as a country, there are things like that. More than that, I would say that right now the opportunity of having an delivery legislation. It is not being piloted by the ministry but by another ministry. Some nebulous work has started in the Assembly.
>> Wendy: Thank you very much. I'm Wendy from Kenya. The issues would be the use of mobile telephone on commerce. It's the most common means. So that people are now paying for services using mobile money transfer. So if that is a consideration, or issues to do with privacy when using a phone. Currently the government has put into place regulations. It actually was a presidential directive on the legislation of mobile phones and, therefore, that was kept by the mobile operators, of how they protect that data and how they use it is an area which we would like you to consider. Thank you.
>> Can I ask just a follow up question by way of clarification. Included in the mobile issues, would it be the concept also of location based services, the idea that I mean, there are some services that are somehow tied to location. So this gas station is now charging less, so as you're driving by, it knows what your location is. So part of the future of mobile telephony is the concept they would use location in order to target services to you, which many people can see as a benefit but some people can also see as a harm.
I was wondering if that was something that you were also considering.
>> Wendy: At the moment, we haven't gone that far. What people find a bit irritating is the use of your mobile number, for example, to send marketing messages. So maybe in the future, there will be location marketing, but currently it is the use say, for example, you pay your power bill using your mobile phone, using money transfer. Then the power company can send you messages saying maybe, you know, have a merry Christmas. And most people find that quite irritating. Thank you.
>> ELLEN: Thank you. Yes, Juan Carlo.
>> Thank you. Just to give you the perspective of a Latin American country, I think that the main problem as we discuss in the IGF regional meeting in terms of privacy and data protection is that unfortunately, it's not in our legal culture. And there's a lack of awareness of the common people about the rights around privacy and other protection.
That's a problem because usually, the public opinion focuses more on closed societies or governments that, you know, people are alert in terms of breach of privacy or any type of regulation that may affect data protection. But in fact, open societies, Democratic societies, as most of Latin American countries will be regarded, that's not the issue. The issue is the lack of awareness. And now with mobile technology growing at a very fast pace, I'm afraid that there should be a lot of efforts trying to link the people with the protection of data, of personal data and privacy. In Ecuador, my country, we recently approved a national system for data and registries. And it doesn't follow any of the international standards at all. It's a very dangerous piece of law, piece of legislation. And actually in the media, those who oppose to this project, we use the outcome of the Madrid, the civil society meeting and declaration, we use that as a tool to create awareness that I think that we should work much more on that aspect before legislation starts to pass in other countries. We had a wave of access laws without data protection laws prior to that.
So now most of Latin American countries, we have access to information laws but we don't have specific data protection laws.
>> The point raised by Kenya, for instance, is very interested, the utility payments, etcetera. We have the same problem in my country in Pakistan. To give an example, with corporations you can say you can sign a contract or something. With the government in Pakistan, there is something called the national database registration authority that issues the ID cards. It has all your personal information. Recently people became aware of this as an issue. Awareness is an important issue. Now they're starting to talk about the fact that that national database registration authority is actually taking the data it has and selling it to anybody who will pay a fee for it. And that becomes a major issue with regard to awareness and what that means.
A lot of corporations go to say, they process the data, you sign up to date at that protection and privacy services. They can actually utilize all that data for marketing purposes. Those are the kind of questions these days that are being raised within my country.
>> I'm Charlotte. I'm a small business owner in California, a technology company. And we are frequently transferring data to the far east countries. A lot of it is protected intellectual property. And it's always a concern for us, what happens to this data in the process of transfer and what happens once we have released it at the other end. So I would be greatly interested in hearing what kind of controls we can put in place so that we're protecting the data for ourselves and for our customers and other individuals.
>> I guess one clarification, the data that you're transferring is data of individuals or is it protected intellectual property of the company?
>> Charlotte: It's both, but it's primarily protected data, intellectual property basically.
>> Panelist: The privacy commission wouldn't be the point for those issues but certainly the international chamber of commerce does actually deal with the intellectual property protections and the kind much clauses. There are broad best practices that they do as well as looking at the more formal treaties that exist in that. So we can put you in touch with the correct people at ICC, what the privacy commission would be doing is looking at the protection of personal data that might be transferred and the kind of controls you can use. That's where the model contracts that we've been talking about deal with the protection of that data for the best practices related to that kind of data. What we should do is we'll take you offline and hook up with the right people to get linkages to that information.
>> ELLEN: I think we have another question over here, comment, question.
>> Audience: My name is Eric Nagursi. I don't have a question. I wanted to share with you the perspective of Tanzania, where I come from, regarding mobile phones. Like Kenya, we also have regulated the use of cell phones as a result of the association of criminal activities, those that perpetuate criminal activities using, buying very cheaply the cell phones with the SIM cards with the numbers, committing crimes and throwing away the mobiles, then another crime.
Besides government regulation, we in place regulation, a regulatory body that controls that. And it requires that you put in personal data so that you are known and you are located. Should the use of such number be associated with any criminal activity, then you'll be responsible. That is, in our view, important for public safety because of the increasing rates of criminal activities that were associated with use of mobile phones. Thank you.
>> ELLEN: Thank you. Go ahead.
>> Audience: Hello. Do you hear me? This is better. My name is Jean Luc. We are one of the regional internet registries. And I just want to address the issue of the privacy regarding IP addresses.
We've had a task force in the community, it's a technical community. And one of the issues we have for a technical community is crucial but we have a public database with IP addresses so the people actually know who is responsible for what IP range.
From our viewpoint, we deal in blocks of IP addresses. It's never an individual IP address which can be related to an individual. And mostly we deal with companies. So you could always argue it's a person in his role as an employee of that organisation, why is he in that database. I do see more and more development to see IP addresses there as private data. And I recently read a verdict in Switzerland, I think, which also specifically said that.
So I would like to hear what the panel thinks about that and how you see that developing. Thank you.
>> Panelist: I think unfortunately as you move from an IPv4 to an IPv6 neighborhood, this is going to get worse, not better, because there is going to be a belief that there is a greater level of identification between the numbers and the possible associated identities. The fact that you are dealing with ranges should, in fact, insulate you from some of that, but apparently it hasn't.
So if you're already feeling pressure based on the range, I don't necessarily think it's going to get better. But I think this is the kind of thing where a collective conversation that might inform what is the actual risk of compromise related to a range of addresses is an important thing that might be taken up because I think it's unclear why a range of addresses should cause the same level of certain even an individual dress is only potentially identifiable, not absolutely identifiable, and it's identifiable to a machine or an instrument, not a person.
So I think some of these issues have been taken and kind of worst case scenario has become the mainstream scenario and people have run with them. But I think it benefits from further conversation because I think as IPv4 transitions, it's going to get worse and more detailed.
>> Audience: I would like to make a remark. I have a feeling that many of the internet users and especially the youth and even children really are willing to sell their privacy just for an additional bonus. And they do not really care for their personal data, especially when they register and when they submit their information. Maybe after that, they get worried about that. At that very moment, if they get anything in exchange for that, they do not care. And I see that problem in Lithuania with the data protection and privacy where it's not so old.
>> ELLEN: Christopher, did you want to add something on the IP addresses?
>> CHRISTOPHER KUNER: I just endorse what Joe said. Number one, I think this will get worse because it's becoming more and more difficult to claim that certain types of IP addresses aren't universal. However, I think there is some room for having a more nuanced discussion. And in fact, even many data protection regulators that could take publicly the view that all IP addresses are personal data, if you present them with more detailed facts of certain situations where it's very clear that there's really no chance of relating an IP address to a person, they may actually agree with you.
So I think we need to move this discussion from a broad black or white saying, every IP's address is personal data or it is not, to look at it in a nuanced way. We can conclude that yes, in certain situations an IP address is personal date a and in other situations it shouldn't be doing that. The key for business is making this the case, presenting these fact patterns and clearly differentiating where are the different situations.
>> I'll take a shot at responding to the last comment. I think, you know, one of the problems that we're find something not that young people are unskilled knowing the consequences of their action. The problem is that they're young and don't care about their the consequences of their actions. If we think to when we were 18 and 20, we can catalog the stupid things we did. There wasn't a broadcast network available to make sure that it became a permanent record of the stupid things we were doing. And that's the difference of where we are. It's not that I think young people value more or less what they're doing, it's just they make decisions of youth, which are not decisions of experience. And I think, you know, part of the concept is, how do you have that education of trying to build that experience at an earlier age. And I think it's a difficult conversation that has to include the home and the school and the entire environment in which they're operating because things do have a different impact later in life than they did before.
>> Audience: You can find studies on both sides of this question. You can find studies that say young people don't care all about privacy and can you find studies that do they say they care a lot about privacy. In the end, it generally or often it comes down to how the question is asked. And then from that, you can get to the result.
I think certainly as Joe said that this is something that needs to be thought about a lot. And something as globally as societies that we probably have done a very poor job on is including privacy and data protection in the educational system from a very young level. You see initiatives in some countries indicating or starting to make it clear that you have to treat you have to teach computer literacy from a young age and also this has to include privacy and data protection. Yes, there are certain ways, can you protect this there are certain things business can do. This is really an awareness and educational issue. It used to be given a much higher priority than it has been.
>> ELLEN: Thank you. Are there any other comments or issues that you'd like to get raised?
Okay. Going once... yes, Heather, is there anyone? Okay.
Thank you. I think this has been a useful discussion for us. And I hope interesting for you. And some of these issues actually that we just started to touch on in the social networking area, there are sessions about later today. There will be more discussion there. Thank you.
(End of meeting)
ICC’s policy and practice work on Data Protection and Privacy