IGF 2019 WS #297 Developing a "GDPR" for Asia: Challenges and Solutions

Organizer 1: Civil Society, Asia-Pacific Group
Organizer 2: Civil Society, Asia-Pacific Group
Organizer 3: Civil Society, Asia-Pacific Group
Organizer 4: Civil Society, Asia-Pacific Group
Organizer 5: Civil Society, Asia-Pacific Group

Speaker 1: Smitha Krishna Prasad, Civil Society, Asia-Pacific Group
Speaker 2: Ananda Raj Khanal, Government, Asia-Pacific Group
Speaker 3: Farzaneh Badii, Civil Society, Asia-Pacific Group
Speaker 4: Yik Chan Chin, Civil Society, Asia-Pacific Group

Policy Question(s): 

How have countries in Asia followed human rights principles in their existing legal and regulatory frameworks for data protection and privacy? How can Asian countries link ethical considerations to their legal mechanisms on data protection and privacy? What are the key challenges to development of an ethical and robust region-wide data protection regulation in Asia? How can the RegTech sector be leveraged to help develop an intergovernmental consensus on data protection and privacy in Asia and how will RegTech affect human rights online? How can digital rights be ensured through a region-wide regulation in a landscape where many countries have autocratic or authoritarian governments? How can regulatory integration be protected against the interests of data/surveillance capitalism in the region? What lessons does GDPR compliance by companies in the ASEAN region provide in terms of the potential economic benefits from having an Asian version of the GDPR? How can existing compliance with EU GDPR in Asia be leveraged to develop case studies for advocacy on data protection and privacy in Asia? How to engage China in a discussion of region-wide Internet governance in Asia?

Relevance to Theme: The development of a region-wide regulation on data protection and privacy can help move forward the data governance agenda in Asia. Without ethical, robust, and human rights-driven laws on data protection and privacy, any attempt to use large-scale data collection, storage, processing, and transfer to boost economic development in Asia may result in violations of human rights. The proposed session hopes to bring different stakeholder groups together to discuss and develop strategies for both government action and civil society advocacy on an overarching data protection regulation for Asia, which may allow for more regional collaboration and also push countries that are not thinking about data protection and privacy laws to pay attention. The proposed session therefore directly contributes to the debate and discussions envisioned for the Data Governance theme for IGF 2019.

Relevance to Internet Governance: The process of development of a general data protection regulation for the Asian region will require collaboration and consultation between governments, the private sector, and civil society groups at an unprecedented scale. This will hopefully lead to shared human-centric rules for online data protection and privacy eventually. The session’s discussion regarding solutions to the challenges of developing such shared rules, therefore, directly relates to Internet Governance.

Format: 

Break-out Group Discussions - Round Tables - 90 Min

Description: The European Union’s General Data Protection Regulation, enforced in May 2018, is perhaps the most revolutionary regulation related to data protection and privacy of the 21st century so far. It has brought data privacy across the European Union (EU) in sync, allowed companies operating in EU to be governed by one set of laws, provided legal requirement for “privacy-by-design”, and protected the data privacy of all EU citizens alike. It has also provided an important benchmark and precedent for other countries and regions that want to work on data management in a way that citizens have more control over the data and human rights principles are upheld in user data management processes.

The GDPR has already affected Asian companies due to its extraterritorial applicability. At the same time, civil society groups in Asia are keen to see how benefits of the GDPR (better protections for citizens, transparency in industry practices, data portability) can be applied in their home countries. The process of developing a regional data protection regulation in Asia is arguably more difficult than in Europe because of the diverse nature of Asian states, the level of development of democratic structures and processes in members states, the absence of a regional multilateral intergovernmental organisation that covers all of Asia, and the lack of existing safeguards for data protection and privacy in national cyber laws in many Asian countries. In order to facilitate the process and determine its practicality, the proposed workshop session will help bring together discussions in various Asian countries about adopting laws similar to the EU GDPR and help develop a clear statement of needs, key challenges, and possible solutions for developing and implementing a similar regional regulation in Asia.

The workshop session format will be breakout group discussions with round table arrangement to allow for maximum interaction among the session participants. Through a series of group exercises, the proposed workshop session will help participants familiarize themselves with aspects of the EU GDPR, discuss ways in which similar measures might help in the Asian context, figure out the challenges that would impede advocacy and action on these measures in the Asian region, determine the worst responses to these challenges and then use these responses to brainstorm practical solutions, and finally to figure out how the practical solutions can be implemented on a regional scale to push for an integrated regulatory framework.

The workshop session agenda is as follows:

Introduction to the session (Moderator, 5 minutes) – The session moderator will share the rationale behind the session and its intended objectives with the participants.

Getting familiar with the EU GDPR (Group exercise, 10 minutes) – Each group will be provided one key change implemented in the data protection regime by the EU GDPR (for example, the GDPR forces companies to get user consent for data processing in a clear and intelligible way using plain language). The participants will be asked to discuss what is the best thing about this change. The groups will be encouraged to keep in mind digital rights and think about how the EU GDPR section assigned to them helped uphold the digital rights.

Group presentations (10 minutes) – The moderator will call upon one representative from each group to share a brief comment (1-2 lines) on the result of their group discussion about the EU GDPR section assigned to them.

Introducing the local context (Group exercise, 10 minutes) – Now each group will discuss how the same EU measure they discussed in the first exercise might be relevant in the context of Asian countries. Participants will be encouraged to bring to discussion the salient features or concerns related to the data regulations that have been passed in their countries. They may also rely on the advocacy for data protection and privacy in their countries, in the case of absence of local laws on data protection. This will help participants learn about the experience from other countries in the region. Based on the discussion, each group will determine if they want to continue with the measure or rephrase their concern differently for the subsequent exercises in the session. For example, the group discussing user consent might agree to rephrase the concern to say that user consent must be taken in a local language in Asian countries in addition to English to ensure accessibility and comprehension.

Identifying challenges (Group exercise, 10 minutes) - Once the participants have finalized their concern, they will now discuss the challenges to include this measure in data protection regulations. At this point, participants will be encouraged to not worry about an integrated regulatory framework. Rather they will be encouraged to bring as many challenges informed from diverse local and national contexts to the table. Each group will then create a list of the top five challenges they have identified. They will be asked to list these five points on a chart paper or poster provided by the organizing team.

Reviewing the challenges (Moderator, 5 points) – The moderator will read out the challenges identified by each group regarding effective data protection regulations so the other groups can also get informed about the work done by their colleagues.

What’s the worst that can be done (Group exercise, 5 minutes) – The groups will now think about their response to the challenges they identified. Each group will be asked to create a list of five of the worst ways they can think of responding to the challenges identified in the previous exercise. This will help participants understand the need for action and reflect on their own responses at an individual or organisational level at present.

Thinking about solutions (Group exercise, 10 minutes) – The moderator will ask each group to reflect on whether the worst responses were localized or have regional similarities. Each group will then use this reflection to prepare a list of five solutions that are the opposite of their worst-case responses and can be applied region-wide in terms of developing or implementing a data protection regulation.

Breaking out further (10 minutes) – Each participant will now be asked to break out from their own group and find one member from another group. In these pairs of two, the participants will now inform their partner about their favorite solution they came up for the challenge they identified in their group. After three minutes, two pairs will be asked to form a group of four and share their discussion on solutions with each other. After another three minutes, each group of four will be asked to merge with another group of four to form a group of eight participants and repeat the exercise. In this way, the group of eight will be asked to reach a consensus of their favorite policy solution for the development of an Asian version of the GDPR.

Solution presentation (5 minutes) – One representative from each group of eight will be asked to briefly share their group’s solution (1-2 lines) with all the other participants.

Reflection and final comments (Moderator, 5 minutes) – The moderator will share final comments and request the participants to jot down one bold idea about advocacy or development of an Asian GDPR based on their work during the session. The participants will be asked to take this bold idea forward after the IGF and incorporate it in their work.

In order to arrive at practical policy solutions, the session will rely on group exercises that are linked, so the work done in one group exercise feeds into the next allowing the participants to learn from their actions and continue their thought processes in a meaningful, solution-oriented manner. The group exercises will allow for policy discussions, and the moderator interventions and group re-formation at the end of the session will allow for the discussions to proliferate beyond separate groups.

Even though break-out group discussions do not require a set of speakers. However, based on the IGF submission system’s requirement, four speakers have been contacted for the proposed workshop session. The speakers will be assigned one group each and will serve as facilitators for the group assigned to them. They will help the session moderator in communicating with the groups and ensure that group discussions do not diverge from the intended objectives of the session. The organizing team will also visit the round tables to see how the discussions are proceeding and help with concerns the participants might be facing. The use of visual aids and stationery items will be made to help participants record their ideas and share them with other groups during presentations. The online moderator will help bring online participants into the discussion and share their input with the onsite participants through the onsite moderator during the presentation and review sections of the workshop.

Expected Outcomes: The workshop’s expected outcomes are given below:

1. Identification of challenges to Asian GDPR, with a focus on similarity or differences in the nature of the challenges and how broadly they apply to the entire region rather than individual contexts for countries in the region.

2. Help participants reflect on the worst ways to respond to the need and challenges for the development of an integrated regulatory framework for data protection in Asia and determine how their own individual or organisational action weighs against the worst responses.

3. A list of practical solutions to the challenges that may affect development of an Asian GDPR.

4. A set of recommendations for policymakers, tech companies, and civil society organizations in the Asian region for developing an integrated regulatory framework on data protection and privacy, based on the discussion on needs assessment, challenges, and solutions during the workshop session.

Discussion Facilitation: 

Interactivity is already built in to the format of the workshop session as it is a break-out group discussion with round tables. Moderator and organizing team members will also visit the groups to encourage participants to actively take part in the discussions. The moderator will also facilitate presentations from group representatives so members of other groups in the session are also informed of the discussion. The groups will be further broken out at the end of the session and reformed to allow participants more exposure to discussions that took place at neighboring tables and to form a consensus around the policy suggestions. The online moderator will help bring online participants into the discussion and share their input with the onsite participants through the onsite moderator during the presentation and review sections of the workshop. The speakers will sit with the groups during the session and facilitate their discussions in keeping with the agenda and objectives of the session.

Online Participation: 

The group exercises are designed in a way that remote participants can also engage with them. Since the moderator will be reading out the questions and instructions for each group exercise, remote participants will be able to easily follow along. Remote participants can respond to the questions of the group exercises in individual capacity by taking notes on their computers and sharing their responses with the online moderator, who will relay them to the onsite moderator so comments and suggestions from the online participants become a part of the session discussions.

Proposed Additional Tools: The online moderator will use Twitter to share the needs assessment, challenges, and solutions being discussed in the session to build online engagement around the session and ensure that the discussions from the session reach a larger audience during the course of the IGF.

SDGs: 

GOAL 8: Decent Work and Economic Growth
GOAL 9: Industry, Innovation and Infrastructure
GOAL 10: Reduced Inequalities
GOAL 16: Peace, Justice and Strong Institutions