IGF 2018 WS #214
Empowering Citizens in Global Internet Privacy Governance

Organizer 1: Lucien M. CASTEX, ISOC
Organizer 2: Julien Rossi, University of Szeged
Organizer 3: Paula Forteza, Assemblée Nationale
Organizer 4: Francesca Musiani, French National Centre for Scientific Research (CNRS)

Speaker 1: Gloria Gonzalez Fuster, Technical Community, Western European and Others Group (WEOG)
Speaker 2: David Martin, Civil Society, Western European and Others Group (WEOG)
Speaker 3: Karolina Iwanska, Civil Society, Eastern European Group
Speaker 4: Danilo Doneda, Civil Society, Latin American and Caribbean Group (GRULAC)
Speaker 5: Peter Kimpian, Intergovernmental Organization, Western European and Others Group (WEOG)
Speaker 6: Fatima Cambronero, Technical Community, Latin American and Caribbean Group (GRULAC)

Moderator

Lucien Castex

Online Moderator

Francesca Musiani

Rapporteur

Julien Rossi

Format

Round Table - 90 Min

Interventions

Péter Kimpián - CoE
Dr. Péter Kimpián has worked several years at the International Affairs Department of the Hungarian Data Protection Authority before joining the Council of Europe, where he was involved in the negotiations of Convention 108+. He also took part in Government Advisory Committee work at ICANN. He will be able to discuss both the novelties in Convention 108+, the extension of its territorial scope, but also the strategy developed by the Council of Europe, as a human rights organisation, in Internet governance fora.

Gloria González Fuster is a leading expert on privacy and personal data protection issue and will provide insight on compensation of harms in data protection law.

Karolina Iwańska from the Panoptykon Foundation (membre of EDRI), a Polish NGO defending human rights, will provide insight on users' empowerment with regard to their personal data.

Tara Whalen - Google, W3C
Tara Whalen is co-chair of the W3C Privacy Interest Group (W3C PING). She is also a leading academic researcher in computer security and privacy issues. She has worked as a computer science expert at the Office of the Privacy Commissioner of Canada, before doing research at Stanford and being recruited by Google to work on privacy. As such, she is one of the leading experts on the relation between public authorities, industry and standards-setting organisations. As co-chair of W3C PING she will be able to discuss the matter of the opportunities for civil society to take part in the editing of Internet standards.

Chawki Gaddes - Tunisian Data Protection Authority
As head of the recently created Tunisian Instance nationale de protection des données personnelles, the Tunisian Data Protection Authority, Chawki Gaddes is one of the key players of democratic transition efforts in one of the world’s most recent and promising democracies. He played a key role, together with NGO’s like Access Now, in managing to counter a project to introduce a new biometric identity document. He will be able to discuss the role of data protection in democratic transition, and how it affects citizens in the exercise of their democratic rights and freedoms.

Simon Rice - Information Commissioner’s Office, United Kingdom
Dr. Simon Rice is a computer scientist working at the British Data Protection Authority, where is the lead technologist. He plays an active role in the Technology Sub-Group of the Article 29 Working Party, and took part in discussions in the W3C Privacy Interest Group. As such, he is a leading expert on the importance of privacy in the development of web standards, and will be able to discuss the relationship between public authorities and the multi-stakeholder development of the building bricks of the Internet.

Paula Forteza, french member of the Parliament will bring her expertise on legislative regulation as rapporteur of the French implementation of the GDPR and as part of the working group on the Constitutional revision to include a digital bill of rights.

Diversity

Diversity is a premise of users’ empowerment and we aim to have a high diversity of participants including ordinary citizens as long as speakers from all over the world, including Europe, LAC and Africa. A number of participants will be new to the IGF. Beside the speaker list, we have a number of interested participants, including government (2 participants interested), academia (5 participants), Industry (2 participants), the technical community (1 participant, to date) and civil society (4 participants). Gender balance is also a key priority.
We chose to respect an additional diversity requirement, by inviting people not only from different continents, but we also tried to involve as many people as possible from countries that have so far been peripheric in Internet governance, such as Tunisia, Bosnia, Poland or Hungary.

The present organizing team from Europe (EEG and WEOG) is intended to evolve until November to include at least two more co-organizers from other origins.

PROPOSED FORMAT : roundtable, open-discussion, 90 minutes.
1 chair
1 facilitator per topic

> Opening (20’)
- Discussing the latest legal developments: UFADAA, GDPR, ePrivacy, CLOUD Act, Convention 108 + APEC
- Presenting the work done in standard setting organisations on privacy

> Data Protection and Privacy in the Empowerment and Resilience of Democracy (25’)
- Extending Testamentary Freedom to Post-Mortem Data
- Opportunities for civil society in privacy web standards

> Empowering citizens: collective action mechanisms and transparency (25’)
Botom-up approach of privacy and users' empowerment
Q&A and debate

Perspectives (20’)

The aim of the workshop is to achieve a real debate amongst participants and share their expertise and their vision on privacy. Moderators will keep time and engage participant to ensure the quality of the discussion. ISOC France team and partners is composed of experienced moderators used to engaging in public debate with a diverse audience: online, onsite, citizen, experts, governments.

The roundtable format will allow experts and moderators to directly engage the audience and share their expertise and insights on privacy and users' empowerment. At least 30 minutes will be allowed for questions and comments from the onsite and remote audiences.

Organizers will use visuals (videos material, slides, images) to engage the audience and facilitate discussion with non native english speakers.

An online study on privacy practices will be proposed to participant (onsite and remote) to allow feedback and open discussion.

The moderators will introduce key technical topics and will have questions prepared to engage the audience and invite discussion between experts and participants.

On May 25th, the General Data Protection Regulation came into force in the European Union, two years after its final adoption. Yet this does not mean the end of the road for developments in the field of privacy.
Indeed, the same month, the Council of Europe released the final version of the new version of Convention 108 on the processing of personal data. Many non-European countries have already ratified have already ratified Convention 108, and many others are taking steps to join them.

The potential expansion of (some) privacy rights to post-mortem data is getting more and more attention in countries such as the United States, with the Uniform Fiduciary Access to Digital Assets Act, or in countries such as France, Spain, Bulgaria or Hungary passing legislation on the matter. As people die on the Internet, this issue is going to get higher on the political agenda.

In the tech world, discussions are still alive around W3C’s Do Not Track specification, which has not yet reached the status of full recommendation. With the e-Privacy Regulation proposal, the EU is taking steps to grant legal protection to this standard, heralding a new era in relations between standards-setting organisations that are at the core of Internet governance, and public authorities.

ISO is also working on a set of standards that may now be recognised under the GDPR as labels.
But all of these instruments are only relevant if enforcement is carried out. Arguably, administrative fines of up to 4% of global turnover or 20 million euros was the single biggest novelty in the GDPR, compared to Directive 95/46. But more often than not, data protection authorities do not have the means to carry out systematic controls and sanctions, even where needed.

Art. 80 of the GDPR creates a legal ground across Europe collective redress mechanisms, empowering civil society, and especially NGO’s in the field of digital rights, to bring cases to the courts and to sue data controllers in breach with the GDPR for compensation. This often overlooked novelty can empower civil society organisations to have a greater role in the regulation of personal data. NOYB, E-Bastille, La Quadrature du Net’s class action are just a few examples of strategic litigation initiatives in Europe based on this new collective redress mechanism.

Our proposal does not aim at talking about the GDPR. Much has already been said about it. The better question is: from here, where do we go? While the principles of GDPR are now enshrined in law, many questions are still open regarding their implementation, their relationship with other legal regimes or with Internet standards, and the role of civil society. In short, our panel is about the future of privacy and the road ahead.

> Background papers :
Summary of the European Civil Society Workshop on Data Protection Litigation
Policy Brief of the European Civil Society Workshop on Data Protection Litigation

Online Participation

The online participation will be organized as a mirror of the onsite participation, with a dedicated moderator to ensure active participation and engage online participants. The remote moderator will be involved throughout the workshop to engage the online audience and integrate their views and questions in the discussion (Discussion, Q&A session...).

> During the e-opening,
the dedicated moderator will gather feedbacks from remote participants.

> e-discussion:
Remote participant will be invited by each group facilitator to join the discussion.

Online participants will also be invited to directly participate to an online study on privacy practices. The link will be provided at the beginning of the session by the moderators.

> Also, for the conclusion, feedback from the online audience will be integrated, as well as their participation in the online study.

Before the event, co-organizers will promote the workshop to the wider community in order to give remote participants to join the session and to prepare questions.