IGF 2019 WS #297
Developing a "GDPR" for Asia: Challenges and Solutions

Description: The European Union’s General Data Protection Regulation, enforced in May 2018, is perhaps the most revolutionary regulation related to data protection and privacy of the 21st century so far. It has brought data privacy across the European Union (EU) in sync, allowed companies operating in EU to be governed by one set of laws, provided legal requirement for “privacy-by-design”, and protected the data privacy of all EU citizens alike. It has also provided an important benchmark and precedent for other countries and regions that want to work on data management in a way that citizens have more control over the data and human rights principles are upheld in user data management processes.

The GDPR has already affected Asian companies due to its extraterritorial applicability. At the same time, civil society groups in Asia are keen to see how benefits of the GDPR (better protections for citizens, transparency in industry practices, data portability) can be applied in their home countries. The process of developing a regional data protection regulation in Asia is arguably more difficult than in Europe because of the diverse nature of Asian states, the level of development of democratic structures and processes in members states, the absence of a regional multilateral intergovernmental organisation that covers all of Asia, and the lack of existing safeguards for data protection and privacy in national cyber laws in many Asian countries. In order to facilitate the process and determine its practicality, the proposed workshop session will help bring together discussions in various Asian countries about adopting laws similar to the EU GDPR and help develop a clear statement of needs, key challenges, and possible solutions for developing and implementing a similar regional regulation in Asia.

The workshop session format will be breakout group discussions with round table arrangement to allow for maximum interaction among the session participants. Through a series of group exercises, the proposed workshop session will help participants familiarize themselves with aspects of the EU GDPR, discuss ways in which similar measures might help in the Asian context, figure out the challenges that would impede advocacy and action on these measures in the Asian region, determine the worst responses to these challenges and then use these responses to brainstorm practical solutions, and finally to figure out how the practical solutions can be implemented on a regional scale to push for an integrated regulatory framework.

The workshop session agenda is as follows:

Introduction to the session (Moderator, 5 minutes) – The session moderator will share the rationale behind the session and its intended objectives with the participants.

Getting familiar with the EU GDPR (Group exercise, 10 minutes) – Each group will be provided one key change implemented in the data protection regime by the EU GDPR (for example, the GDPR forces companies to get user consent for data processing in a clear and intelligible way using plain language). The participants will be asked to discuss what is the best thing about this change. The groups will be encouraged to keep in mind digital rights and think about how the EU GDPR section assigned to them helped uphold the digital rights.

Group presentations (10 minutes) – The moderator will call upon one representative from each group to share a brief comment (1-2 lines) on the result of their group discussion about the EU GDPR section assigned to them.

Introducing the local context (Group exercise, 10 minutes) – Now each group will discuss how the same EU measure they discussed in the first exercise might be relevant in the context of Asian countries. Participants will be encouraged to bring to discussion the salient features or concerns related to the data regulations that have been passed in their countries. They may also rely on the advocacy for data protection and privacy in their countries, in the case of absence of local laws on data protection. This will help participants learn about the experience from other countries in the region. Based on the discussion, each group will determine if they want to continue with the measure or rephrase their concern differently for the subsequent exercises in the session. For example, the group discussing user consent might agree to rephrase the concern to say that user consent must be taken in a local language in Asian countries in addition to English to ensure accessibility and comprehension.

Identifying challenges (Group exercise, 10 minutes) - Once the participants have finalized their concern, they will now discuss the challenges to include this measure in data protection regulations. At this point, participants will be encouraged to not worry about an integrated regulatory framework. Rather they will be encouraged to bring as many challenges informed from diverse local and national contexts to the table. Each group will then create a list of the top five challenges they have identified. They will be asked to list these five points on a chart paper or poster provided by the organizing team.

Reviewing the challenges (Moderator, 5 points) – The moderator will read out the challenges identified by each group regarding effective data protection regulations so the other groups can also get informed about the work done by their colleagues.

What’s the worst that can be done (Group exercise, 5 minutes) – The groups will now think about their response to the challenges they identified. Each group will be asked to create a list of five of the worst ways they can think of responding to the challenges identified in the previous exercise. This will help participants understand the need for action and reflect on their own responses at an individual or organisational level at present.

Thinking about solutions (Group exercise, 10 minutes) – The moderator will ask each group to reflect on whether the worst responses were localized or have regional similarities. Each group will then use this reflection to prepare a list of five solutions that are the opposite of their worst-case responses and can be applied region-wide in terms of developing or implementing a data protection regulation.

Breaking out further (10 minutes) – Each participant will now be asked to break out from their own group and find one member from another group. In these pairs of two, the participants will now inform their partner about their favorite solution they came up for the challenge they identified in their group. After three minutes, two pairs will be asked to form a group of four and share their discussion on solutions with each other. After another three minutes, each group of four will be asked to merge with another group of four to form a group of eight participants and repeat the exercise. In this way, the group of eight will be asked to reach a consensus of their favorite policy solution for the development of an Asian version of the GDPR.

Solution presentation (5 minutes) – One representative from each group of eight will be asked to briefly share their group’s solution (1-2 lines) with all the other participants.

Reflection and final comments (Moderator, 5 minutes) – The moderator will share final comments and request the participants to jot down one bold idea about advocacy or development of an Asian GDPR based on their work during the session. The participants will be asked to take this bold idea forward after the IGF and incorporate it in their work.

In order to arrive at practical policy solutions, the session will rely on group exercises that are linked, so the work done in one group exercise feeds into the next allowing the participants to learn from their actions and continue their thought processes in a meaningful, solution-oriented manner. The group exercises will allow for policy discussions, and the moderator interventions and group re-formation at the end of the session will allow for the discussions to proliferate beyond separate groups.

Even though break-out group discussions do not require a set of speakers. However, based on the IGF submission system’s requirement, four speakers have been contacted for the proposed workshop session. The speakers will be assigned one group each and will serve as facilitators for the group assigned to them. They will help the session moderator in communicating with the groups and ensure that group discussions do not diverge from the intended objectives of the session. The organizing team will also visit the round tables to see how the discussions are proceeding and help with concerns the participants might be facing. The use of visual aids and stationery items will be made to help participants record their ideas and share them with other groups during presentations. The online moderator will help bring online participants into the discussion and share their input with the onsite participants through the onsite moderator during the presentation and review sections of the workshop.

Expected Outcomes: The workshop’s expected outcomes are given below:

1. Identification of challenges to Asian GDPR, with a focus on similarity or differences in the nature of the challenges and how broadly they apply to the entire region rather than individual contexts for countries in the region.

2. Help participants reflect on the worst ways to respond to the need and challenges for the development of an integrated regulatory framework for data protection in Asia and determine how their own individual or organisational action weighs against the worst responses.

3. A list of practical solutions to the challenges that may affect development of an Asian GDPR.

4. A set of recommendations for policymakers, tech companies, and civil society organizations in the Asian region for developing an integrated regulatory framework on data protection and privacy, based on the discussion on needs assessment, challenges, and solutions during the workshop session.