IGF 2019 WS #422 Data Protection and Surveillance Impact Assessments

Organizer 1: Civil Society, Latin American and Caribbean Group (GRULAC)
Organizer 2: Technical Community, Latin American and Caribbean Group (GRULAC)
Organizer 3: Private Sector, Latin American and Caribbean Group (GRULAC)

Speaker 1: Mariana Rielli, Civil Society, Latin American and Caribbean Group (GRULAC)
Speaker 2: BRUNO BIONI, Technical Community, Latin American and Caribbean Group (GRULAC)
Speaker 3: Renato Leite Monteiro, Private Sector, Latin American and Caribbean Group (GRULAC)

Policy Question(s): 

How can different methodological approaches to Data Protection Impact Assessments impact civil society and other stakeholders’ ability to participate in their formulation by the public and private sector?

To what extent, and how, should accountability apply do DPIAs as the obligation to elaborate and provide them is implemented?

What kinds of exchange, in terms of policy-making, can be promoted between Europe and countries in the global south that do not have a strong culture of Data Protection Impact Assessments?

How does the notion of Surveillance Impact Assessments relate to Data Protection Impact Assessments in terms of regulation and what additional aspects must be considered in designing SIAs?

Relevance to Theme: Previously assessing the impact of controller’s activities over data protection and the privacy of individuals has been a relevant tool to minimize potential risks and to foster a safer environment for both data controllers and data subjects in the exercise of their rights and freedoms. The broader idea of a Privacy Impact Assessment is present in policy-oriented debates on technology since, at least, the 1980’s. The advent of data protection regulations that adopt a comprehensive approach, which goes beyond basic protection standards and requires active measures to manage and document data, has blurred the lines between data protection and data governance. One of the basic requirements established by the more widespread methodologies for DPIAs is the identification of practical measures to mitigate risk, something that can be attained by data governance mechanisms. In that sense, the discussion that we aim to promote through this workshop is in line with the most relevant topics being debated currently. At the same time, it is an issue that is very underdeveloped in countries such as Brazil, despite its recently passed General Data Protection Law providing such obligation.

Relevance to Internet Governance: Besides the relevance that stems from the factors described in the previous item, one of the main goals of the workshop is to discuss methodological approaches to Data Protection Impact Assessments, considering existing standards (e.g. WP29 and European Data Protection Board recommendations), as well as impact assessments that focus solely on surveillance. The exchange of perspectives between different stakeholders, coming from different regions, is bound to result in a rich discussion that involves current regulation, principles and shared understandings on the role of impact assessments and how different players can influence their elaboration;
"Internet governance is the development and application by Governments, the private sector and civil society, in their respective roles, of shared principles, norms, rules, decision-making procedures, and programmes that shape the evolution and use of the Internet."

Format: 

Panel - Auditorium - 90 Min

Description: The workshop will be divided in three parts, roughly 30 minutes each: the first will be headed by Data Privacy, as its researchers go over the main goals of the workshop ang give a brief overview of the brazilian regulation and the perspectives for Data protection and Surveillance Impact Assessments in the country. The second part will be shared by two speakers from different stakeholder groups located in Europe (we have invited a member of the CoE and a member of Facebook), who will then provide their perspective and the experience that has been built so far in the region in regards to methodologies and uses of impact assessment reports. Finally, the third section will be a free debate between all speakers, the goal being to achieve some common understandings and perspectives.

Expected Outcomes: The expected outcomes for this workshop are: (i) to achieve a prolific exchange of perspectives and also information between the participants; (ii) to raise awareness about the discussion of Data Protection Impact Assessments and Surveillance Impact Assessments in countries (mainly the global south) which haven't advanced much on the topic, despite the relevane and potential it holds.

Discussion Facilitation: 

By preparing questions (both for the other speakers and for the audience) beforehand.

Online Participation: 

Data privacy has a big network of people who are very engaged in these debates. We plan to talk about the workshop and share the online tool beforehand in order to make sure there is plenty of participation.

SDGs: 

GOAL 16: Peace, Justice and Strong Institutions