IGF 2019 WS #236 A universal personal data protection framework? How to make it work?

Subtheme

Data Governance

Issue(s)

Cross border data
Data privacy & protection
Data protection

Organizer 1: Ying Tung, Mandy Chan, The University of Hong Kong
Organizer 2: Mingzhu Li, Hong Kong Shue Yan University
Organizer 3: Steven Chen, The Chinese University of Hong Kong
Organizer 4: Aidana Alken, The Hong Kong Polytechnic University
Organizer 5: JING HAN DONG,

Speaker 1: Arthur Gwagwa, Technical Community, African Group
Speaker 2: Jaewon Son, Civil Society, Asia-Pacific Group
Speaker 3: Peter Kimpian, Intergovernmental Organization, Western European and Others Group (WEOG)
Speaker 4: Lih Shiun Goh, Private Sector, Asia-Pacific Group

Additional Speakers

Charles Mok, Technical Community, Asia-Pacific Group 

Jean F. Queralt, Civil Society, Asia-Pacific Group

Renata Avila, Civil Society, Latin American and Caribbean Group (GRULAC) 

Moderator

Mingzhu Li, Civil Society, Asia-Pacific Group

Online Moderator

Ying Tung, Mandy Chan, Civil Society, Asia-Pacific Group

Rapporteur

Aidana Alken, Civil Society, Asia-Pacific Group

Format

Round Table - Circle - 90 Min

Policy Question(s)

  • What are the fundamental principles for personal data protection in cross border context? 

  • What are the current difficulties for personal data protection in cross-border context? 

  • What are the implications of recent institutional regulations on data protection in the global south and global north? (SDG 16)

  • How can technical community, private sectors, governments, civil society and transnational organizations employ and design a universal personal data protection framework to develop effective policy? (SDG 17)

  • Is it possible to establish a universal mechanism that not only monitors and evaluates the data transfer, but also settles disputes towards data governance? (SDG 9, 16, 17)

SDGs

GOAL 8: Decent Work and Economic Growth
GOAL 9: Industry, Innovation and Infrastructure
GOAL 10: Reduced Inequalities
GOAL 11: Sustainable Cities and Communities
GOAL 16: Peace, Justice and Strong Institutions
GOAL 17: Partnerships for the Goals

Description:

This workshop will provide participants with an overview of personal data protection from domestic to a global level. With the specialisation of GDPR, it aims at investigating the current limitations and considerations of the transnational data protection law which hopes to shed light on the imminence of establishing a universal data protection framework.

Expected Outcomes: 

Throughout the discussion, it aims at establishing fundamental principles for personal data protection in the cross-border context on top of the exisitng one. We would like to identify the key limitation of the exisitng personal data protection legislature, ares for growth and opportunties for cooperation between global south and global north. And most importantly, our ultimate goal is to evaluate the possibility of settling disputes on personal data protection with a universal mechanism. 

The session organisers will be responsible for managing the length of each session in achieving a meaningful yet balanced discussion on issues revolving around data governance. With the aim of exploring the possibility of establishing a universal personal data protection framework that settle disputes towards personal data incidents, the session organisers will facilitate the discussion by encouraging and bringing in novel questions and opinions from both onsite participants and online participants. Opportunities will be given to participants to share their thoughts on different dimensions of data governance with our professional speakers during the round table discussion.The round-table discussion is expected to enable interactions and exchange of views between participants with diverse backgrounds and speakers representing different stakeholders that could foster understanding of the present needs, existing limitations and potential resources for a global data governance mechanism.

Relevance to Theme:

The development of automatic data processing and the accelerating development of technology enables vast quantities of data to be transmitted within seconds across the world. In the era of globalisation, a vast quantity of personal data could be transmitted and misused easily if there is no personal data protection framework or legislation to protect data breaches. 

Despite the fact that many international organizations have introduced a set of principles, guidelines and policy suggestions, personal data protection law on a national level has not been enacted widely across the globe yet. Meanwhile, the implementation of GDPR imposes stricter protection on cross-border personal data transfer which provide a realistic option for those who wish to transfer data to everywhere they like.

Some countries may resort to follow the existing data regulatory model which in turn risk creating a more fragmented global geometry for commerce and information exchange. It will affect the flows of cross-boundary data and leads to isolation and siloing of data usage within a specific country. Restrictions on these flows could cause serious disruption in important sectors of the economy, such as banking and insurance.The issue is imminent and involves not only the governments and the global community but individuals. 

For this reason, this workshop hopes to build up the conversation on reviewing the existing principles set out by different institutions and international organizations. It aims to help harmonise national privacy legislation and to avoid interruptions in international flows of personal data. We hope to reach a consensus on the fundamental principles on cross-border personal data protection by reaching out to different stakeholders for their concerns of the issue, and ultimately to touch on the possibility of establishing a universal data protection framework that will hopefully serve as a reference for the future legislation and discussion.  

Relevance to Internet Governance

Data governance concerns an array of diverse and sensitive issues like protection of personal data, law enforcement and other security issues. Different governments have different models to steward their data, so as to foster better governance. These issues are interwoven with internet governance, since the internet is a vast network which is connected by standardized data communication protocols.

A vulnerable data management may result in data and privacy breaches which poses risk of crime, abuse, surveillance and social conflict at domestic or even international levels. The collection and use of network data, when not being properly regulated and stewarded, could put the cybersecurity at risk, hindering the proper functioning and use of the internet. 

Above scenarios demonstrate the importance of data governance in the use of the internet, and thus are highly relevant to internet governance. In our policy questions, we focus on practical mechanism in governing personal data in cross-border context. We seek for better understanding on the capability of the global south in handling issues related to personal data governance and the impacts of doing so. Examining the different limitations and advantages that when regulating personal data privacy issues can give us insight in understanding the strengths of and the possible assistance needed for an effective stewardship in different countries. Learning about the differences and uniqueness between the global north and global south could help in constructing a universal personal data framework that could facilitate international cooperation and meaningful participation among different countries, regardless of their developmental level, in global internet governance.

Online Participation

By clicking on the link in any electronic agenda which will be published on the IGF website or the social networking sites, participants can be directed to the meeting room. If the speaker is a remote presenter, they can still access the the meeting room to present their ideas.

Proposed Additional Tools: Social Media hashtag on Facebook

Agenda

AGENDA:

Introduction - (10 min) 

Our moderator will start this session with an introduction of different speakers and elaboration on the agenda and background of the workshop. 

Speaker sharing - (10 min) 

Mr. Peter Kimpian will share about the Convention 108+ which will offers more insights on fostering international cooperation on the issue based on the commitment to respect common principles and the creation of a common legal space . This will facilitate the beginning of the discussion and will give participants the necessary background to refer to in discussing how a universal personal data protection framework can be built up.

The First Round Table discussion - (20 min) 

This is a primary discussion which is aimed on gathering more information about difficulties faced by different stakeholders in the personal data protection in the cross-border context. 

Guiding questions:

  1. What are the fundamental principles for personal data protection in cross border context? 

  2. What are the current difficulties/dilemma for personal data protection in the cross-border context?

Opening Remark of the second round table discussion - (10 min)

One of our speakers, Mr. Charles Mok will summarize the key points of the previous discussion and share his ideas towards the issue, so as to inspire more dicussions on the second round table discussion.   

The Second Round Table discussion (35 min)

In this roundtable discussion, the focus will be shifted to practical matters regarding the establishment of a global data protection framework, seeking to understand more about the challenges faced and ways to improve the data protection mechanism. The three other speakers who represent technical community, civil society, and the private sector respectively will be able to add different perspectives into the discussion and make the voices of different geographical regions be heard.

Guiding questions:

  1. What are the implications of recent institutional regulations on data protection in the global south and global north? (SDG 16)

  2. How can technical community, private sectors, governments, civil society and transnational organizations employ and design a universal personal data protection framework to develop effective policy? (SDG 17)

  3. Is it possible to establish a universal mechanism that not only monitors and evaluates the data transfer, but also settles disputes towards data governance? (SDG 9, 16, 17)

We will also open up the floor for the remote participants to comment and ask questions. Our on-site and online moderators will facilitate this session and may ask follow-up questions to encourage participants to interact. 

Conclusion (5 min) 

The moderator will summarize the key takeaways from the discussions and our on-site moderator will link ideas back to the topic of establishing a global data protection framework. Speakers will be able to add final remarks if they wish.

1. Key Policy Questions and Expectations

  1. How can technical community, private sectors, governments, civil society and transnational organizations employ and design a universal personal data protection framework to develop effective policy? 

  2. Is it possible to establish a universal mechanism that not only monitors and evaluates the data transfer, but also settles disputes towards data governance? 

Throughout the discussion, it aims at establishing fundamental principles for personal data protection in cross-border context for future reference. Convention 108+, will be the starting point of our discussion that helps us to dive in the mechanism of establishing a universal personal data protection framework. The discussion will then follow by identifying limitations on the existing protection legislature and its respective impact on the global south and global north. Eventually, we expect to evaluate the possibility of settling disputes on personal data protection with a universal mechanism.

2. Summary of Issues Discussed

There was broad support for the view that even though it is very strong and detailed, GDPR is too heavy and cumbersome for developing countries to adopt because of the lack of infrastructure, sensitive economies which might be negatively affected by over-regulation and lack of genuine need for such an advanced legislation. Many indicated that the voices of civil society on the issue should be raised more. Some focused more on policy challenges and opportunities, while others emphasized the role of infrastructure and the need to discuss it more. Also many supported that the legislations should be formed on local levels through regional trade agreements relying on the framework only as a guideline or reference. This will allow civil society to have more participation on the issue through local parliaments and other governmental structures.

3. Policy Recommendations or Suggestions for the Way Forward

Economic: data protection policies should be incorporated into the business models of companies. Data protection policies can be incorporated into the regional trade agreements or into consumer protection laws.

Social-cultural: introduction of e-literacy in schools’ curricula as early as possible should be promoted more.

Technical:

Overarching: local parliaments and governments should be the champions of the local laws, so that civil society can find their way to voice out their opinions on the legislature. The courts may use human rights regulation mechanisms where data is a cause of human rights abuse.

 

4. Other Initiatives Addressing the Session Issues

Convention 108+: more flexible and affordable framework compared to GDPR. It is the only legally binding, it is open to third parties. There are 55 parties already, 47 of them are members of the Council of Europe. It is not much advertised compared to GDPR. It is reaching out to Latin America and Africa, however, there is not much contact with Asian region.

ASEAN agreement: cross-border data protection as a part of trade agreements; 10 member countries, 700 million people, very diverse culturally and economically. ASEAN grows because of entrepreneurs. The governments understand the need to protect personal data and they agreed to work on economic growth. 

Kenya: localized data protection law formulated by local governments with the help of Council of Europe. Kenya privacy and data protection bill was passed recently, GDPR was a good starting point for them, but there are some global standards that cannot be implemented on local level. In such a case, local parliaments and governments should be the champions of the local laws, so that civil society can find their way to voice out their opinions on the legislature.

5. Making Progress for Tackled Issues

Private sector should not shift the responsibility on civil society which does not have enough knowledge on data processing. Businesses have to provide users with technology that they can trust, they should not care about whether their data is duly protected. Computer science students should learn more about human rights if they want to work with human-centered technologies. We should strive to avoid criminalization and regulation which cannot be implemented locally. Business models should be developed with a built-in data protection mechanisms. There should be more promotion of Convention 108+.

6. Estimated Participation

  1. Please estimate the total number of onsite and online participants.
    Total number: 79;  women: 30.

  2. Please estimate the total number of women present onsite and online.
    Online participants

YouTube participants: 8

Zoom participants: 14

7. Reflection to Gender Issues

N/A

8. Session Outputs

  • The framework needs to be sensitive and practical towards the needs and resources of developing countries. The framework should allow global south to find the right balance between data protection and economic growth. Many developing countries are discouraged to implement data protection laws when they look at GDPR which is too complicated. These countries may not have the necessary infrastructure to implement these laws. Also SMEs in these countries may heavily depend on internet services so burdening them with data protection compliance may hurt the economic growth in the region. Local political issues which allow big actors to dictate the data flow dynamics in regions also cannot be ignored.

  • There is a severe lack of awareness. The emotional disconnect between the data and its source is alarming. Data represents people but because of this disconnect, many people fail to understand the meaning and the importance of data protection. We should raise awareness about Convention 108+ and other initiatives which are aimed to protect data and are not as cumbersome as GDPR. People must be educated about protecting their personal data and how it should be achieved. Early education in e-literacy plays an increasingly important role in protecting individuals online.

  • There is too much focus on policy in the discussion whereas infrastructure also needs a lot of attention. The development of policy should go hand in hand with the development of infrastructure that will enable smooth implementation of developed policies. Personal data protection policies must be incorporated into the business models of private sector.