Welcome to the United Nations | Department of Economic and Social Affairs






22 OCTOBER 2013

WS 18, WS 319




The following is the output of the real-time captioning taken during the Eigth Meeting of the IGF, in Bali, Indonesia. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the session, but should not be treated as an authoritative record.


[Please stand by. The session will begin momentarily]

>> Hello, hello?

>> Hello, hello.

[ Background conversation ]

[ No audio ]

>> Good morning, everyone. Welcome to the session on Privacy in Asia. My name is Nir Kshetri. I am from University of North Carolina. We have four highly qualified panelists in this session. Professor Edmon Makarim from the Indonesia University.

Mr. [ Inaudible name ] also we have ‑‑ we are trying to connect to our remote participants from Keio University and we are having a little bit of technical problem is why the session is delayed a little bit. Remote parties Professor Jim Foster who is coorganizer with me from Keio University and also there's Professor ‑‑ who is dean of the School of Information environmental studies and also a former board member of ICANN IGF process.

Again in this session we are trying to examine four or five issues of privacy in Asia. Protecting Privacy online in the developing countries in Asia, that means actually first thing the meaning of privacy itself might be different in Asia. Normally understood by the privacy term in the western countries. And also privacy is a new thing in many of the Asian developing countries, especially. And some of them are drawing from the European Union Framework and some of the things come from the U.S. framework and they have their own things locally and how they are integrating those things in the Asian countries and. Also a lot of things going on about harmonization and alignment of national privacy regulations and national privacy regimes across the Asian Region.

We will talk about that. And also, we will talk about how exactly the panelists will talk about how exactly the resulting Asian approach to privacy will be different from the European Union and the U.S. approach to privacy. And also, the other thing we are examining in this panel is that who are the main participants in the privacy in those Asian countries like the Government, or the special interest group, or trade association or professional association, or maybe the technology vendors, consumers, like what are the different roles?

And a lot of concerns in the European Union countries and maybe also in Japan the strict privacy regulation because of the strict privacy regulation businesses have not been able to utilize these modern information and communication technologies, like cloud computing, big data and all the important things and how exactly the privacy things for the strictness of the privacy regulations have affected that.

So we will focus on the five things. Let's check one more time in our remote participants is working?

I will just stop here because we have four panelists here and how's the remote participation?

Professor I would like him to talk about the thing couple minutes and you will be the first to speak.

So any progress? If this works we will go back to Keio and in the immediately we will start with Professor Xong Xue.

>> XONG XUE: Good morning, ladies and gentlemen. Thank you for giving me the opportunity to present at first one. A clash of schedule for me I need to ran to another workshop. In 14 minutes. Sorry about that, but I am happy to answer any questions after my short presentation. I would respond to Nir's questions onebyone I changed the sequence a little bit. I moved question No. 5 to No. 3. But I address all of them.

What I talk about is privacy in China, the law and the practices is pretty good. This is a legal panel. We will talk about legal issues. Please go back to the first page.

This is the last page, actually.

Okay. For the legal framework in China, on privacy protection, it has been growing quickly ‑‑ Page 2, please, thank you ‑‑ what we can see is the most important significant development is the decision enacted by National People's Congress standing committee on strengthening network information protection. At end of December 2012.

This is so far the most important legal sources for privacy and personal privacy protection on the Internet. National People's Congress is the Chinese Parliament the highest legislature. The standing committee is the working body of the highest legislature. So the decision is not ‑‑ called a law, because it's too brief and too principled ‑‑ doesn't go through much details however it outlined couple of key principles on privacy principles on the Internet. The people ‑‑ the decision, there are the laws, I have to say in China is no comprehensive law that everything addressed in subjects of law ‑‑ in enacted in 2007 the law grants for the first time civil rights for privacy. At least data subject they can claim that privacy is independent, private and civil rights. And remedy is ‑‑ that's pretty important. There's other laws, such as criminal law. Those organizational institution handling personal datas, and selling and misappropriate these data subject to legal punishment. Apart from these laws enacted by legislatures, there are other administrative regulations addressing different aspects of privacy and personal data protection.

For example, there are couple for administrative regulations protecting network security and data protection and the privacy actually, incorporated in those protection. And also there's administrative regulations, regulating market order in Internet market services and addressed the obligation of the service provider, data and privacy protection. Next page, please.

I tried to outline what is protected Chinese framework regarding privacy and personal data. First of all ‑‑ principle is commonplace and widely recognized across region and around the world. For data collection process, communication, and dissemination of it must be subject to data subject's consent. Informed consent is No. 1 principle for privacy principles. The collection subject to the principle of legitimacy, necessity and just vacation. For the legality, you should never leak or steal the other person's data; the data should be collected to the ‑‑ scope of necessity ‑‑ only necessary information should be collected. Or expansive collection is not permitted.

But is also important is that the decision enacted by National People's Congress Standing Committee ‑‑ any question? I am happy to respond to that. Another principle is being established in China is for the first time, the enactment of the decision by the National People's Congress Standing Committee ‑‑ supposed to publishing own privacy ‑‑ different from the Facebook or Twitter. You can ‑‑ another issue is quite relevant to privacy protection in China is for the Internet access Services and for the telecom Services, and as Chinese law all the user must submit their real name information. This is a real name checking system. And in that case those information service provider, including Internet access provider and telecom Service provide they are actually maintaining and collecting a large amount of personal data. And in response to this real name requirement, the legal obligation for personal data protection on these services is comparatively higher.

Another observation is that under the Chinese legal system we can see many administrative regulations and the public law remedies. If you breach the data protection laws you are subject to administrative liability or criminal liability, could be subject to penalties, but for the civil remedy how to directly address the private engrievement of data subject is weak and is unfortunate and should be enhanced in the future. For data subject they are now entitled to declare to request a service provider to remove the infringed information if there's really a leakage of personal data. Information supposed to be removed, but no other remedy available to data subjects, which is pretty unfortunate, because data protection is to protect the Human Rights and metadata subject rights not the public ‑‑ and of course as said last point the public law protection is pretty strong. Next page, please.

The second question is on this possible harmonization, unification in AsiaPacific Region. Very good question. In China, Chinese Government is very much emphasizing the crossborder ‑‑ and they believe the future development of international trade will be primarily relying on this crossborder electronic ‑‑ and Chinese Government with 12 agencies, including Ministry of Commerce and general administration of customs these key stakeholders are issued a circular and facilitation and crossborder ecommerce so they really see the potential to sell goods and services through the Internet. In that case this will inherently involve a data flow, in and out of Chinese border.

This is very important issue. And I assume the other big economies or the other economies in Asia are also developing this international trade through online, ecommerce platform.

So there is a great potential for developing this harmonious data protection legal framework. There's a need for this. Think about the ecommerce, is naturally borderless and serious and conflict on laws and there's really a big headache for the ecommerce providers.

If it could be harmonious and, really, is respectful legal framework in the region that really great blessing to the development of ecommerce. What I can see things that Nir kindly asked us to have the prospectus of this collaboration, or harmonization ‑‑ I do believe there's a big possibility to develop comparable protection in different Asian countries.

I do know in Indonesia, Malaysia and Singapore, developing privacy and data law and for those basic principles are very much in common, saying nations for the Chinese, personal data protection, those basic three principles the consent legality, and necessity, are widely accepted. So it is possible at least, which is back to basic protection of privacy and personal data, to harmonize in this region.

But, of course, we need a legal framework, how to harmonize that apart from the soft rule and nonbinding principle that's the countries or the stakeholders can subscribe, what about in the framework ‑‑ we see many free trade agreement as concluded in this region and force a transPacific partnerships being negotiated and we see some provision in the free trade agreement. Is that the right direction to go? We include privacy protection in the ‑‑ or this region is still unprepared for this region legal harmonization. Next page, please.

This is on cloud computing and big data. What you can see is China is really developing this big data business and creating new business model actually. And this has stirred concern on data security and data sovereignty.

In my experience of drafting the Chinese government regulation on Internet retailing ‑‑ what they see is they believe the big data, especially the data connected by this huge Internet transactional platform like Ali Baba is bigger than Amazon and eBay. Those data on the platform is already impactful to the national economic security and the location and the retention of this data should be subject to legal regulation.

And this is another legal area to presume we can see another area of conflict of law. Maybe we should take into account and harmonization ‑‑ next page, please.

For the international model the U.S. model is primarily in the private sector. We have no commerce ‑‑ of either model ‑‑ each approach there's really a nice forwardthinking.

If you use the wisdom of Confucianism, something in the middle is always the better solution. So probably it is regulation model along with private sector's commitment, we work from both sides ‑‑ next page, please.

The stakeholders groups involved in these privacy protection in China ‑‑ the most important group is stakeholder ‑‑ not liked to be called stakeholder, but regulators and there's private sector, the businesses. What is important is not really purely private sector, because the State enterprises not occupying and there's over 50% of the whole economy, businesses, especially the telecom, Chinese Telecom market is not regulated and ‑‑ other public services, could be nonprofit or for profit. Educational services operating on the Internet. These organizations offering services and collecting huge amount of data. They very much stakeholder in this regime. Last, but not at least the Internet community in china what we see is really interesting the Internet Community in China have become very much articulate. Their message on data protection. And data security.

That's my briefing. Sorry I am taking more time than I am supposed to. Thank you.

>> NIR KSHETRI: Thank you, Professor Xong. She has another conflicting session.

And she has to go to that session after some time. She will not be here for the Q&A session at the end. If you have something to ask Professor Xong, to ask now.

Yes, please.

>> I wondered if you were able to comment on the administrative information the technologies notice on small form measures. Which are intend to protect privacy on smart devices. Do you have any comments ‑‑ it was missing from your list.

>> XONG XUE: Sorry. You named the National People's Congress decision? Or another circular? I mentioned the two different things.

>> AUDIENCE MEMBER: So there's a notice on the smartphone security measures and intended the devices and privacy of data on devices and consent for the prior installation of applications that may access people's data. One the first things this Asia to address smartphone privacy.

>> XONG XUE: Thank you for the question. If you asked my observation, what I can see is that privacy protection for the long time in China has been backseated and the service provider's obligation to the government is very much the priority. In any case, it should submit the data in their position to the government for law enforcement purposes. Security there's very good prospective ‑‑ civil rights in Chinese legal system. Those administrative regulations provides sort of data protection, but privacy protection is only the byproducts ‑‑ yes, we can see the coalition of and security and privacy, but at the same time, security seems not the priority. When they work together.

>> NIR KSHETRI: Another question for Professor Xong?

>> AUDIENCE MEMBER: Yes, thank you. I wanted to ask a clarification regarding the real name policy you mentioned. Precisely I wanted to know what is scope is and the content. For example, does it apply to microblogging I know is quite popular in China.

>> XONG XUE: Right the real name ‑‑ is widely applied in China primarily in two areas. One area is the telecom market, you have to submit your real name information and verified by your photo ID. And another area is Internet access services. You are very right. It's not limited to the ISP, but also expanding to the ICP such as microblogging, for example, you want to register a account and ‑‑ you need to submit your real name information and will be very fine. Yeah, this is legal requirement. It's not subject to operators' business policies.

>> NIR KSHETRI: I think we have time for one more question, please and we have to move to other speakers. Let's do two okay.

>> AUDIENCE MEMBER: Professor Xong I would like to ask we know in 2008 APEC introduced Internet privacy framework across the region known as the Pathfinder project. My question is has China found this framework useful? And have they adopted parts of the framework within this? I think the question could be useful for countries who are about to start on their path in introducing privacy laws and China's experience would be helpful here.

>> XONG XUE: Thank you. Yes, China has been the part of the APEC privacy Program and actually there's a ebusiness alliance, founded by Chinese government. And then the Chinese government is looking at these principles and I am recently completed a project with the Chinese Government to research, reassess the impact of these principles from APEC. And they could be kind of introduced into Chinese international trades through ecommerce system. Yes, it's very much being researched in China.

And that's very good starting point for our regional harmonization with respect to data law.

>> I have a question when I heard Xong mention about the big data produced by ecommerce operators, should be regulated by law. That concerns me a little bit. In terms of security. Because that can go either way.

And can you operate on your idea of regulation of big data?

>> XONG XUE: Thank you. That's also my concern. For the example think about Ali Baba. Other platform and there's one of the is things going to be regulated in China is the location of their server. They want to cloud their data out ‑‑ United States data center Chinese government would be really thrown. They think about data retention should be subject to stricter scrutiny.

Only one the concerns; there will be other concerns.

>> NIR KSHETRI: Let's thank you Professor Xong for a nice presentation about China and we will move to Professor Fumio Shimpo from Keio University and he will talk about Japan now.

I think they are still working on that. Remote participation is not working still, right?

Let's start.

>> FUMIO SHIMPO: Could you open my presentation file? Next, I am Fumio Shimpo from Keio University. May I introduce a little bit myself.

The areas of my expertise is constitutional law and under cyber law is my main research. I have served many committee member and counsels on government Japan privacy on the security. Currently I am in charge of the Vice Chair of the OECD working party information and security. Let's start my presentation.

The title of my presentation is current framework and the future approach for protecting privacy in Japan.

And there are five questions asked about the IGF proposal. And five questions.

The first question, I will explain about this question, with respect to the current legal framework for protecting passing information in Japan and going issues and the consideration for protecting privacy from the point of personal data protection. Which includes P.I.I. and nonP.I.I. and second question: I have prepared a PowerPoint slide sheet to discuss about the harmonization and not the harmonized aspects of differences between the EU, U.S. and ASEAN countries. Promoting to protect privacy by coordinating crossborder enforcement as you know. Regarding the third question, I also made a PowerPoint that explains this question. And fourth question is who are the key actors?

This is very difficult question to answer regarding in Japan, because Japan does not have think supervisory authority. I am one the key actor in privacy ‑‑ in Japan. And however there are no privacy ‑‑ in Japan.

Next question is regarding the cloud computing and regarding the handling of personal information from the point of the big data. There's no restriction using cloud services in Japan. And also regarding big data utilization some companies are trying to promote big data businesses. However, some cases are strictly criticized by consumers.

Next slide, please.

Next slide is the brief introducing the history of establishment of laws relating to personal data protection in Japan.

Next slide.

This sheet is for purpose of I made this sheet for ‑‑ to relationship between OECD, APEC and EU and U.S.

Next slide, please.

In Japan the region passed data protection laws in private sector on the national level has been performed by the government since July 1999.

At that time, a personal data protection was only for based on the guideline for private sector.

Therefore, the government decided to enact a law for comprehensive scheme for personal information protection. The new law has been enacted in May 2003, ten years have passed since that law enacted.

And at the same time, at rate of agency passed data personal protection law, took effect the new personal information protection law was an overhaul of the 1988 law. In Japan, we enacted the first law in 1988, based on the OECD guidelines.

And all of these personal data protection laws has been shaped around main points of the OECD privacy Guidelines. Using the personal data protection laws applicable to private sector as an example.

And it was referred to eight OECD privacy Guidelines. Next slides, please.

And the second generation of late efforts, considered the protection personal data fundamental right distinct from the right to privacy.

The Japanese data protection legislative structure is based on three main laws related to the personal protection enacted on May 30, 2003.

Also there are several laws regarding the administrative agencies and independent administrative agencies.

Next slide, please.

In order to save time, please refer to the PowerPoint slides. They are five main laws regarding the personal information protection law in Japan. Next slide, please.

This is the structure of current Japanese personal information protection law.

There are basically policy and personal information protection law and several guidelines. Next slide, please.

This is slide 4 changing the private sector and public sector. Japanese law is a comprehensive personal protection law however the area the private and public sector is divided into several laws. Next slide, please.

And this is a problem of the current Japanese law. As you see there are many guidelines. I counted the number of guidelines. There are 42 guidelines for each competent Minister, because Japan does not have any supervisory authority in Japan therefore, each competent minister has a right to enforce that law based on the guidelines, each minister has a right to enforce law. So therefore, there are 42 guidelines have been enacted for the enforcement of law. Very complicated structure of Japanese guidelines.

Next slide, please.

I skipped that slide. Next slide, please.

Next slide, please.

Yes. Next I like to talk about the little bit the current for protecting privacy from the point of view of several administrative guidelines. In the past guideline is for the smartphone users. Report of the studies group on the use and ‑‑ personal data for protecting privacy and personal information for smartphone users. Next slide, please.

Based on the discussion of the consumer issues, and the ICT and its working group, that name of that report is the smartphone Privacy Initiative.

The purpose of smartphone Privacy Initiative is to implement longterm development of a smartphone market with properly handling of information and improvement of user literacy. Has been proposed so as to allow the user to access services in safe and secure manner. Next slide, please.

And this ‑‑ present smartphone user Information Handling Guideline widely applicable to relevant business operators of smartphones and also this initiatives proposes measures for improving the effectiveness of the guideline. For example, system for the verification of application by a third party. It's proposed as one of the measures is for protecting privacy of consumers of smartphone users. Next slide, please.

And regarding structure of smartphone services, in order to save time, please leave refer to the PowerPoint slide. And this slide is open to the public on the website of Minister of Internal Affairs of Communication in Japan. Next slide, please.

And the current situation regarding ‑‑ collection of information and purposes there are many ‑‑ for collecting information through application smartphone application.

Next slide, please.

Next slide is explanation for the new national ID law. The new law has just been enacted for the purpose of using new national identification for social welfare and national taxation.

So I would like to explain this slide. This is from the point of view using information by this new National Identification System.

Difficult to explain for me so please forgive me. Just see this slide. Next slide, please.

The personal data is already protected by the Japan's personal protection law. However the personal data that's used in this slide it's not personal information, meaning it's a little bit different from personal information in Japan. It means following the discussion, concerning the scope of protected information related to individual. So we defined personal data as information about an individual in general, not limited to information, which is personally identifiable and defined as protected personal data.

Information about individual to be protected. Next slide, please.

Based on the notion of this personal data protection should be handled in accordance with the context at the time of data acquiesce and privacy of data. And regarding the method of making for personal data utilization, as I mentioned before, Japan does not have any supervisory authority regarding the standard therefore a multistakeholder process is one the solution to solve the current problem and established a new framework. And at the same time, now we are preparing new national supervisory authority for competent ‑‑ the acquisition standard. The personal data is appropriate to make maximum use of privacy ‑‑ technology ‑‑ using the ‑‑ and encryption. Next slide, please.

Lastly, I like to mention about the current ongoing issue and current ongoing consideration regarding the protection of personal data in Japan. The current, the IT strategy headquarter is now under consideration for establishing the new National Supervisory authority based on the personal information protection law. Therefore until the end of this year, 2013, the report for law revenue of current Japanese personal data person information law will be open to public until the end of this year.

So therefore, now we are rushing into consider to establish the new supervisory authority to complete ‑‑ regulation standard of privacy conference and steps like that. Thank you very much.

>> NIR KSHETRI: Thank you very much Professor Shimpo. We have time for three questions.

Then move to the next speaker. So anyone has any question about privacy in Japan?

Yes, please?

>> AUDIENCE MEMBER: Thank you Professor for your presentation. I just want to ask some more question about, you mentioned that you are in the process of amending the regulation in Japan. And could you please explain, is it for a comprehensive or the sector? And the second one, how's the Japanese perception of the community of the privacy? Thank you.

>> FUMIO SHIMPO: The current Japanese information law is comprehensive law it covers both public and private sector and the new law which will be amended soon. So and also the new law will also cover whole area of both private and public sector law. However there are several sectoral law for protecting for example the secrecy of communication and there's some sectoral law. Only one comprehensive law is current Japanese privacy personal protection information law.

>> Thank you.

>> NIR KSHETRI: Yes, please.

>> AUDIENCE MEMBER: Thank you for your extensive mention about this OECD and APEC and together with what's happening in Japan. Could you explain a little bit more about how Japan is trying to harmonize with this guidelines provided with APEC and OECD in this sense? Thank you.

>> FUMIO SHIMPO: As you know the OECD guidelines has been amended and open to public the 9th of September in 2013.

The main point for the amendment of this new OECD guideline is the new guideline provides that privacy enforcement authority and privacy management program, and there's some main focus for protecting personal information. Therefore that cabinet office is now in the Japanese government the cabinets office is now under consideration for amending personal information protection law based on the amendment of the new OECD guideline.

Because OECD a new OECD guideline provides that it is necessary to establish the privacy enforcement authority; however, Japan doesn't have any supervisory authority and also we have not yet been able to obtain the privacy commissioner's conference ‑‑ and we actually obtained the privacy commissioner's conference and as observer, but yet at the same time we have not been able to obtain PGEN.

OECD guideline is to establish a new supervisory authority, with the ‑‑ new national OECD guideline. At the same time, regarding the ‑‑ program, we join the CPP program last month, so therefore now we are trying to pass ‑‑ we are trying to make a joint to the APEC and also the APEC ‑‑ and particularly CPEA and APPA is already a member of this. Thank you.

>> NIR KSHETRI: Time for one more quick question if anyone?

>> AUDIENCE MEMBER: Professor I thought it was fascinating that Japan made a decision not to have central regulating body and now it's analyzing whether it should because of the OECD guidelines.

Could you share maybe some of the experiences, not having the central regulatory body, maybe there's some advantages or disadvantages that you have discovered? Thank you.

>> FUMIO SHIMPO: Even if we don't have any such central supervisory authority, however, maybe you remember that there were 42 guidelines and each competent minister have a very strong enforcement power in Japanese government.

It's very strong bureaucratic power in Japan. Therefore ‑‑

[ No audio ]

[Attempting to reconnect to audio source]

[ No audio ]

[Standing by]

[ Off microphone ]

>> Okay.

So I wanted Professor Murai to talk a little bit.

>> Professor Foster would like to have a word.

>> We will move to our last speaker:

>> Thank you very much. Moderator.

I refer to the topic of privacy. Privacy in Asia and one aspect of privacy is personal protection. The moderator raised about the five questions. Next slide, please.

What is the current framework. And then how do you assess prospect regimes across ASEAN regions ‑‑ approach privacy protection ‑‑ different in some respect now developed in U.S. and within the EU and what implication does this have for global privacy governance? No. 4 the who are the key actors in the privacy debates in your country and what are the roles and powers? And five the fifth question ‑‑ privacy regulation in your country affected cloud services and big data? I move to the first question. I could say that ‑‑ legal framework ‑‑ privacy paradigms of European Union, United States or OECD guidance principles and also privacy framework. Why? Because until now, we do not enact a particular law regarding the general ‑‑ protection. But almost similar for some countries, privacy as a term or privacy as legal terminology, might be you cannot found in the Constitutions. Maybe on only some countries have privacy as legal terminology, clearly explicitly as a privacy in the Constitution.

If I am not mistaken, almost the majority of the constitutions saying personal life. So Indonesia legal hierarchy the first thing we should raise is privacy as personal life had already protected in Indonesian Constitutions, but instead of Human Rights we have liability to ‑‑ respect the others human rights and also we have liability for security. That is best on constitutions.

And then, we have also Indonesian law and human rights. And this context we have ‑‑ property ‑‑ and also Indonesian law ‑‑ security and ‑‑ so I will explain little bit what our paradigm. In the next slide, but I would like to raise every law in Indonesia with the implemented on specialist ‑‑ generalist. So if we have a particular law or special law, so we would like to implement that instead or except in that special law do not have ‑‑ so we should defer to the general provisions. Because Indonesia inherit ‑‑ we still prepare special law, but it doesn't mean we do not have any provision regarding privacy protection because we have Indonesian law and electronic information and ‑‑ law.

In this law we have also government regulation 2012, we have a standard protection for privacy and online. And we have some other specific law personal data protection as secrecy also.

Next slide, please.

Based on this diagram, in the narrow definitions it is common talking about privacy, everything that might interfere with your personal life. Your security, but under the broad definitions everything outside of yours communications that might be have an impact to your personal life. So in the narrow definition, maybe secure, but anything that might be impact to your personal life, such as someone had already obtained your personal data illegally or maybe unethically or misappropriated so in this context privacy not only talk about the privacy and personal life, but also thinking that might be influence your ‑‑

Based on privacy regime, if we refer to European Union perspective, they pay attention to much of the data personal protection as good or a ‑‑ so everything is moved of this object, that maybe have a lot ‑‑ compared to this prospective is the United States prospective. Privacy based on expectation to privacy. Or reasonable expectation to privacy. If you don't expect the privacy, governments should not pay attention for this matters too much. Because in the context or citizentocitizen for business to citizens it's up to them to their consensus.

It would be an ‑‑ economy if everything, government have interferes for the personal communication and business communications. So that's why we ‑‑ it would be better for Indonesian combine of all of the paradigm. So we have hybrid paradigm.

And next slide, please.

Looking after the Article 26, basically, the first in my opinion, the first imperative for privacy in data protection is approval of the subject's data.

So in this article, we have a provision saying the regarding personal data should be met with approval of the relevant persons. And the Section 2 in this article and any person whose right is violated as referred to in Paragraph 1 may file a lawsuit for damage based on this Act.

If I am not mistaken, until now we don't have criminal provisions about privacy.

We do not have a criminal provision, but we have ‑‑ lawsuit for damage. So it depends on the subject ‑‑ him or herself. Next slide, please.

>> Electronic operators shall remain secrecy in variety of personal data under its management. And ensure the position and use of personal data, personal data is based on the consent unless otherwise provided by laws and regulations.

Disclosure of the data was based on the concept of the owner of ‑‑ acquisition of data. If there's a failure in the protection of confidential private data, electronic system shall notify in writing the owner the person data. Guidelines in ‑‑ refer to Paragraph 2 regulation of the Minister. It means that we in the shortterm period, we would like to make minister regulation regarding the privacy and data protection guidance. in the longterm, we are now making or drafting the Indonesian law for the data protections. One of the colleagues one the drafters on the first line, Sinta from ‑‑ university. And we also have articles ‑‑ five minutes, okay. Article 66, Section 1, saying that privacy ‑‑ so we are on the right track in my opinion, because we have adopt basic principle of the ‑‑ privacy framework by giving role playing to the independent professional to audit and give privacy mark.

And then for the question 2 and 3, you can find ‑‑ for privacy because we are country have special value ‑‑ religious and tolerance ‑‑ maybe this is not the same with the European Union and United States' perspective, most countries have individualism value. ASEAN countries have a common law tradition and also ‑‑ but blended with the custom and religious tradition. Then next slide, please.

This is showing that we need privacy ‑‑ next slide. I am very sorry. Almost five minutes.

Another slide, please.

This is showing that we have ‑‑ master plan and community and also community. Next slide, please.

We would like to develop ‑‑ please? This is many SRO ‑‑ selfrecognition organization and Civil Society organization is the key actors ‑‑ are the key actors in developing privacy guidelines. So each law may have one implementing agency blended government and also the community.

Next slide, please.

And the question five: Implication to cloud computing and big data. We have Article 15 law of the IT. Give the principles of this article is presume liability. So electronic system provider should be liable for everything, because they should guarantee the accountability of the system. Provider shall develop their system in the liable secure and responsible ‑‑ their system working properly. Except if the malfunction of or the mistakes because of the customers or the users, or maybe the force major conditions.

That's my last presentation.

Please next slide.

There's my notes that I propose that Asian country have their own standard regarding privacy, but accommodate privacy frameworks, rules and standards also.

Thank you very much.

>> NIR KSHETRI: Thank you very much, Professor. Let's see if you have any quick questions. We have time for three.

>> AUDIENCE MEMBER: Thank you. My name is ‑‑ I am ‑‑ I will comment to the presenting of Edmon. To some degree I agree that privacy in Indonesia is not a constitutional right. At least not clearly on Constitution.

But I want to give comment on social legal perspective.

In my opinion, privacy don't have sociolegal foundation in Indonesia, because historically and sociologically, Indonesian people are collective people. Collective society, not like European people who or U.S. people who tends to be individual. And in Indonesia it's something like normal to ask what is your age? Are you married? Anything that define as privacy in western society.

Also, if we tried to Indonesian people house, 20 years ago, there is no rooms, no private rooms in Indonesian house.

And there's some people's houses with no room.

If they have room they don't have ‑‑ because privacy ‑‑ there's no concept of privacy in Indonesia.

It's similar with other ASEAN communities. Much of collective societies, don't think that privacy is a big deal. Privacy is rather than implanted from western culture that adapted and in maybe the last ten years in ASEAN. Thank you.

>> Do you want to respond Professor Makarim.

>> EDMON MAKARIM: Our privacy may be ‑‑ it's not similar with the western values so that's why we make a hybrid paradigm. The European Union's ‑‑ and also the United States that's the condition of our social behaviors. Thank you very much.

>> NIR KSHETRI: We have time for two. Let's see, start from the behind.

>> AUDIENCE MEMBER: I wondered if I could follow up on last comment a little bit and I wonder how far you would push that. I know this came up many years ago at an ICANN meeting in Africa where something similar was said and I wonder if you feel the same way when you think about let's say a company, that is mining your personal data to create a profile of and a pattern about you that you don't know they are creating this pattern about you and using that for commercial gain. Do you still feel that that's not something that an Indonesian attitude or cultural approach would see that as an invasion of privacy in some way? I wonder how far you pushing this idea of you really don't care about privacy.

>> EDMON MAKARIM: Thank you very much.

In my second slides, I had already shown there's also Indonesian law regarding consumer protections. So they have also special agency for their protection and also they have Civil Society regarding that.

So the last case is regarding about spending and stealing of the data ‑‑ of the customers become what you call it big cases for Indonesia and operators ‑‑ too much about that.

And then I could say that we had already pushed their thinking and the evidence is we had already have provisioned on the law No. 11, 2,000 H everything of your subject's data should have approval from him or herself. That's it.

>> NIR KSHETRI: Time for only one and can you get from one of those ‑‑

>> AUDIENCE MEMBER: Hi, I had two questions.

The first one ‑‑

>> NIR KSHETRI: Only one now.

>> AUDIENCE MEMBER: The first one was regarding your comment on the expectation of privacy. I am just wondering how that interlinks with the fact that people are not informed about their rights to privacy. So if you're not informed about your right to privacy and privacy and how it can impact you how can you develop a idea of what expectations you have for your protection of your privacy? Just if you can comment on that?


It's quite hard questions. If you say reasonable expectation to privacy, referring to the what is the development based on the Universal Declaration of Human Rights ‑‑ 100% privacy, and we don't add something ‑‑ but after that we can find ‑‑ Human Rights saying ‑‑ and also it's happened in U.S. So there's not a good balance in public interest if you pay attention too much more the privacy but you forget about the public interest.

So the balance of this condition is reasonable expectation to privacy. But on the other hand, we need also legal provisions saying that everyone should have a liability to obtain the other personal data of some persons legally. So we put that on the ministry regulations in the future, but now in the conditions subject expectation to privacy based on the individual to me or himself. If he or she found personal data was already obtained by others, company, they could sue them.

And also, if these standards do not follow by business organization, I believe they don't have a privacy benchmark. Because one provision regarding electronic system is certified by professionals based on some certain standard of the government regulations. Is that clear to answer your question? Thank you very much. Unfortunately I would like to know also about the ‑‑

>> Let's do this at least three more people who want to ask questions. Let's hold them until the end of the session. Also we can directly ask Professor Makarim ‑‑ and we move to Mr. [ Inaudible name ] about privacy. We will be talking about lot of things.

>> It's our remote participant online now.

>> NIR KSHETRI: Okay. Professor Foster is here.

No? No?


Let's hold this for some time? Is that okay? [ Garbled ]


[ Garbled ]

( Inaudible ).

>> Hello?

>> NIR KSHETRI: Professor, first ‑‑

>> ( Inaudible ) [ Garbled ]

>> Sounds wonderful ‑‑ I think particularly because what was clear from presentation is China, whether it's Indonesia, whether it's Japan, Asian governments are working and moving very quickly to develop their own privacy frameworks. We need to be sure as that process goes forward we as academics and researchers get into intelligent and effective ways.

>> JIM FOSTER: The danger we are facing is development of patchwork ‑‑ actually confuses consumers. One thing about regulation internal truth, is that once they are in place they are very difficult to overturn or change. So I think we need to move very, very quickly in this environment to provide a framework to help governments, companies and consumers to think about intelligently about some of these questions. And I think it's even more urgent because of the advent of big data and the Internet. They are really transforming the connection between the individual and data.

And as that process goes forward, privacy is going to be increasingly become a difficult concept to talk about. Think in that context we need to go back it basics. What's the definition of privacy? Cuts across cultures and levels of development. We need to consider how to operationalize that so government's businesses and consumers know not only what we are talking about but how we propose to manage it. Whole question of consent. Particularly in the environment of big data and Internet ‑‑ what does consent mean? How can we enforced it. A mechanism according and manage whole question of privacy. What's the vehicle in the ASEAN region? Opportunity for ‑‑ cooperation on the ‑‑ ASEAN or APEC or right to get together a web of bilateral relationship.

In that particular context too how do we ‑‑ connects ‑‑ in the region.

At the end of the excellent discussion I end up with one question: Perhaps we started off with, I just feel very encouraged and I hope that we can continue the momentum and looking forward to talking with you in the future. Thanks.

>> NIR KSHETRI: Thank you very much Professor Foster. Quick question? Can we do that? Maybe we will get back later. Our next speaker is from Microsoft Asia. Singapore and he is Chineseborn Canadian living in Singapore and works for a U.S. company. So he has a lot of different experiences about privacy.

>> Thank you Professor Nir. As we just witnessed when technology works ‑‑ thanks professor Nir for emphasizing I have a complicated background and I mention to my copanelists in email to illustrate the fact that given people are like myself is becoming more like the norm, because people travel around the world and living different places. When it comes to personal data and data protection, it is a crossborder issue by nature. I titled my presentation putting people First, building trust in big data world. As we truly believe there's a crisis or a deficit of trust in current Internet ecosystem.

And rebuild or restore the trust we need to come back to fundamental of putting people first which I will elaborate what I mean in a bit of time. Also, stressed beyond the title of building on the APEC privacy principle and tried to be pushing the envelope a little bit say, how we do that beyond the current set of privacy principles. Next slide.

I have a rather simple outline of my presentation, not strictly following the Professor's five questions.

But I think as technology company, who operates globally we probably can best add value just to kind of share our view of how the landscape, the world we are living in has changed and transformed very dramatically and that actually requires us to take a different look to new model towards privacy restoration. And how we can leverage technology in doing that.

And I will talk a little bit about in my personal view why Asia could actually take a lead in the world and certain very tall order, but there are fundamental reasons, I believe, that Asia could take a lead.

And last but not least, touch on Microsoft's practice how we put privacy first in our product design in service offerings. With that, as I have the fortune of sharing this stage with four distinguished professors and there are more on our remote site. By quoting from professor ‑‑ who often say to students freely to ask me for past year's exams. We as students always like to do that. But just bear in mind that the questions might be the same; the answers might actually not now be different and that's statement very true our privacy debates needs and concerns of human beings remain the same throughout the years, but the solution is likely going to be different now since the digital worlds we are living in is vastly different from let's say the 1980s when the first set of OECD principles was drafted. Or even back in 1995, when was the most of the governments starting to establish the privacy and security regulation around the world.

We also need to bear in mind that the landscape two or three years from now in 2015 and 2020 will be significantly different than what it is today. And today many of Asian governments are just starting to define the data protection regime and privacy legislation as we just heard from my copanelists. Restoration which are put place or being put in place accounted for the changed that have occurred over the past decade and will these legislations survive the continued and most likely will be accelerated shift in the future. To start let's take a quick look as how the world has changed into what we known as the big data world. By some estimates only 3 zettabytes of information created in the year 2012 and in case you're not familiar with zettabytes. Everyone has the terabyte drives. Imagine 3 billion of them filled with one year of information. And this information ‑‑ still growing at about 50% year by year and also in the recent decade we have seen a lot of technology advances come together to enable even greater explosion of data fueled by the social networking fueled by the proliferation of devices. And in a shortcoming future, fueled by mission communication generating all kinds of passively collected data.

In other words, the technology revolution and the data explosion has really challenged the relatively slower pace of the regulatory evolution. I give you three examples depicted in the graph. Cloud computing, social networking and Internet ‑‑ as one example the advent of cloud has fundamentally redefined how, where and by whom the data is collected and used and exchanged. In the cloud computing, your data and processing are all moved out of personal computer, moved out of the direct control of the users into the cloud and the cloudbased data by nature will flow across multiple boundaries of national borders and therefore regulatory regimes.

Big data is big in sort of four dimensions, if you will. There's volume, velocity, the speed the data has to be processed. There's variety of data 90% of big data actually are unstructured data and last, but not at least also the value of big data, which is really central to the privacy debate as well as, because we do believe there's a need to strike balance between data protection, but also mining and getting value out of big data which has societal impacts quite fundamental.

There's a good phrase that some is quite well that says data is the new currency in digital economy. If data is new currency this is really valuable and it's for us to suppress it ‑‑ while protecting the fundamental needs of privacy and protection.

The other major force driving the data explosion ‑‑ five minutes ‑‑ is social networking. And way the changes people produce the data. Used to be the user is just the data subject, but now the users are also the data producers. Despite all privacy concerns you look at YouTube and Facebook, people are very eager and willing to disclose to much the world and how we balance that desire and the legal rights the users have. The machine to machine communication is going to produce I would argue the vast majority data generated in future, which is passively collected or passively produced. So that you will, really, points to the fact that the landscape has really changed in terms of volume, velocity, and variety of data and the value of data that we need to deal with. If we can move to next slide.

Conclusion is we need a new model, new policy that can adapt to the technology changes and also the changes in the societal norms that we just mentioned.

And this graph, which is trying to depict a rather usercentric and holistic approach to using trustworthy data system that we would like to call. Is broader than just privacy and data protection. Due to the ‑‑ sorry, the previous slide ‑‑ previous one, sorry. I am not there yet.

Last one. Yeah. So in this because of lack of time I highlight two components. One is shifting the policy focus from data collection to data usage.

In the traditional world, even in OECD principle, et cetera, the emphasis is really on in order to protect the users we really need to constrain the organization from collecting data at the outset and there's really in the big data world, it may not be ‑‑ appropriate mentality. What we advocate policy focus should move towards how the data used in the usage points, rather than trying to suppress the origin of data because the data will be gone if we don't collect it at the right time at right place and the value might be lost. And the really scrutiny should be put on who and where and how the data are used.

And that's actually easier said than done therefore we advocate another component that needs to be integral part of this. The technology part ‑‑ it can also provide policymakers with a great tool which never had before to deal with the challenges imposed by the big data. What I mean by that if you see the lower Right part of the chart, it depicts a way of wrapping the data around with what we call metadata. Essentially if I were to make an analogy, just like the IP routing header everyone is familiar with, moving the data pact around global networks towards desired destination, in similar way, if we were to attach a header to any piece of data that traversing across network and national boundary with a set of metadata that attracts providence ‑‑ privacy control elements that actually allows the data to be protected whenever it's accessed, because the metadata is permanently bound to the data and it's encrypted together. This is what we call metadata architecture proposing for policymakers around the world to adopt so as you can imagine we travel around the world as human beings, what we need is a passport which identifies ourselves and also get ourselves protect by foreign authorities when traveling. Similar notion you can think of this as a data passport. Each piece of data is given a passport that identifies itself to the rightful user and also protect itself from the unauthorized users.

Moving to the next slide. Give what I just said, none of those are actually currently implemented in today's privacy legislation. Much of today's regulatory approach are based on the traditional notice and consents mode may many of us already acknowledge that's not sufficient. Many times the users are not able to ‑‑ only given a binary selection of binary choice in terms of optout or optin, we want granularity of control ‑‑ economic return. Like we do when going to grocery store we sign up for a discount card. Is one example. Asia in my opinion can lead the world in embracing the new model and simply we don't have time to go through the details and I welcome you to go through PowerPoint later. I believe Asia can take a lead. Asia is characterized by predominantly a developing country. We have few of the largest developing economy in Asia. Where the population itself just drive the scale of data. With in cloud computing big data world, scale equals to the ability to mine data, ability to actually gain insights and intelligence out of data. Many people argue in the field of, for example, biomedical research, in the Asian world can actually take a lead, because they have much more sample to work. The second are even Asia can take a lead in my opinion, Asia as primarily a developing economy needs to have bigger motivation to utilize technology in much bigger scale and cloud computing is just one example to elevate the Asian economy andcatching up with the world leaders and to do that you need to employ cloud computing on much larger scale and therefore another motivation for regulators to take a larger stand. I will wrap up in the next one to two minutes next slide. Singapore has put in place personal data protection act last year or earlier this year and it will come to force July 2nd next year. This is one good example of where ‑‑

[ No audio ]

[Lost audio]

[Attempting reconnection]

[ No audio ]

[Still not able to connect to audio]

>> Privacy can be seen from the constitutional perspective and also are the business perspectives and both have social and ‑‑ impacts. When we discuss about how the Asian countries could harmonize the national regimes, so we should also consider how the Asian countries see the privacy, would we see the consider ‑‑ protecting privacy as protecting human rights? Or should we see the protection privacy in the context of the for ecommerce or committee economy ‑‑ that's the difference between APEC privacy framework and the EU approach.

What I would like to ask the speakers is how would you see concerning this issue, what would bridge the perspective that would bridge the Asian countries.

>> Response for that?

>> I don't mind. It's very good question. I think as I mentioned earlier, the whole privacy debate really needs to strike a balance between the need to protect privacy and data, versus also the other policy objectives such as innovation and trade and I believe in the early presentation I also heard there's balance of public interests, versus individuality.

What I can is that this is really has needs to take into consideration the context of the cultural norm. As I mentioned earlier in societies like Indonesian it's more of a collective society, but in society of the U.S. maybe it's more of individuality.

So that balance may be different in terms of where the balance point is. Different from country to country.

But nonetheless, I think there's a always a oneofabig challenges is to strike that balance.

>> Yes, please.

>> AUDIENCE MEMBER: I have a question for speaker for Microsoft and question also for the Indonesian speaker. Only one question?

>> First let's ask and come back to all the speakers.

>> AUDIENCE MEMBER: My question is what is your definition of big data? Because you seem to ‑‑ seems a lot of data is big data. A lot of data is not big data. Something give a he me a information ‑‑ I like to be your thoughts on your definition thank you.

>> I don't know if there's actually official definition big data. Wikipedia probably has one, but in our opinion, I think, big data really refers to this not only volume aspect of the volume is exceeding the processing capacity of any machines and requires the cloud computing to process, but also it refers to as I mentioned in terms of velocity and the realtimeness of the data that needs to be crunched and needs to be produced, because the value of the data actually lose by the time goes by. There's a lifecycle aspect to the big data. I think there's multiple dimensioned towards what makes it big not just volume.

>> NIR KSHETRI: One more for Jeff.

>> AUDIENCE MEMBER: Thank you for your interesting presentation. I think in general we have challenge of harmonization. And in the national level and regional and level and Global level one of the slides the current OECD principles didn't seem to be adequate. Could you explain what kind of OECD principles are not quite adequate? Like in terms of just the privacy perspective?

>> I was more referring to the old one and I actually heard from ‑‑ there's new release of the OECD guidelines. Which I really look forward to reading. But in the existing ones, there are things that are still ‑‑ for example, the security safeguard accounting principles. But there are other, like, collection limitations just as one example which we really think need to be progressed or move forward as I mentioned we really need to move from restriction of collection to more of scrutinization and how the data are used. From that focus to who and how and where the data are processed in way. Another example is in terms of the notice and consent and how the consent should be obtained. Because in many cases as we know it's very hard for users to actually predict how the data is going to be used and for them to give us consent upfront and actually that's doesn't make sense. And it's just those kinds of challenges ‑‑ that the today's world has actually made very hard then let's say, back in 1980s when the first OECD principle was drafted. Is what I mean.

>> Okay.

>> NIR KSHETRI: If you have any questions that you like to ask our remote presenters, Professor Foster, may take one question for him. And one for Professor Fumio and Edmon and we will close the session. If you like to interact more after that, you can do it ‑‑ anyone has anything to ask Professor Foster? Or if he wants to add something?

[ Off microphone ]

( Inaudible ).

[ Garbled ]

>> JIM FOSTER: I would be happy to answer question. I think ‑‑ ( Inaudible ) as I said before. [ Garbled ]

Discussion ‑‑ really have to address lot of basic questions. I think those of you who ‑‑ academic field involved with ‑‑ ( Inaudible ) sector have a big job ‑‑ asking right questions and particular context ‑‑ begin to ‑‑ ( Inaudible ) mindful of as Jeff was saying that solutions will be moving ahead ‑‑ [ Garbled ] because really driving force of the technology.

I think we need to get privacy right. And I think it's one of the really fundamental issues.

With respect to the future of the Internet and given how important ‑‑ innovation and competition and economic growth, come back to again and again, so I encourage those of you in the audience who are engaged with this topic ‑‑ we have ‑‑ trying to put together in Asia to get to know each better and talk about the issues and develop solution.

Hope we can continue this conversation both inside and outside the IGF framework.

>> NIR KSHETRI: Thank you, Jim. Let's see. One question is for Professor Edmon and Professor Fumio. Anyone has anything? You would like to ask?

>> AUDIENCE MEMBER: Professor since the topic is we are in the term of building OECD principles what's the Japanese perspective? Because you also apply the new OECD, rather than the APEC privacy framework?

Can you explain the reason of the Japanese perspective? Thank you.

>> FUMIO SHIMPO: To the new OECD guideline? Actually the basic eight principle has not yet been changed. There are no change to the new even if the new OECD guideline.

Therefore, for example, the privacy enforcement also is one of the factor for consider to establish new authority for Japanese government. And those privacy management program and the security breach notification is also that we have to consider, have to follow and ‑‑ to do that. Actually the current Japanese law doesn't have any obligation to notify however Japanese company try to notify the government and Ministry, security breach occur. Therefore these factors we have to follow and we have to consider have to follow to do the new OECD guidelines. However, there were no changed regarding the eight basic principles.

>> NIR KSHETRI: Thank you. Last question to Professor Makarim?

>> No? Okay.

>> AUDIENCE MEMBER: Yes. I found it very interesting. Patrick from Fiji. I found it very interesting that the Indonesians had this unique approach to privacy ‑‑ not being a very important issue. The Indonesian people have some trust between their people. And I think culture might be overlooking an important factor that there are a lot of issues that or the incidents that involve privacy violations are multinational, a lot of problems that you are trying to address are not because of Indonesian players, but because of bad people around the world.

And by making privacy or approaching privacy in the sense that governments shouldn't get involved, it should be a civil matter. You might be putting your people at risk. Because a lot of data privacy data out there can be used in attacks like social engineering and attackspecific threats and if government doesn't take an active stance in protecting they're people's privacy other opening up your teem to attacked from outside place. Something that, I think, you might be overlooking.

>> NIR KSHETRI: Quite a long sentence.

Make it short.

>> It was undecided ‑‑ the need for protection for the privacy in the broader ‑‑ and the personal data as his or her properties. Look at the one example of the maybe some companies saying that this is a good fit. When I buy this laptop, there's no condition for me; I can separate this hardware and software. And one time, I take this on, what should I do?

I should surrender ‑‑ should give my personal data based on the liability. So now let's think out of the box for the futures discussion.

Do we refer to the privacy or the personal data? Privacy, it means if someone had already make me unpleasant for their doing, or their acting, or might be best on myself, I surrender the data. So in this context, do the country should have influence based on the government authority playing more than the expectation of the individual him or herself. For the top protections yes, maybe to certain conditions, countries or governments should have a role in power for doing that.

So this harmony may be because of we do not give the formulation in effective context.

In appropriate context, so like ‑‑ about the constitutional perspective and business perspective, I am worried a lot in the future because of the government and the business.

Look at the Microsoft and SA.

We do not have ‑‑ we cannot say anything if Microsoft give my personal data to the NSA and providing me ‑‑ national security big data, who has big data? Who is the owner of the big data?

Collecting big data with no consent and no independent condition to the users, is that big data? No.

You have big ‑‑ trust from the users. It's not relevant saying I have at right to access, because since the beginning I surrender the data with no choice. Thank you very much. That's the end of my it.

>> NIR KSHETRI: Thank you, everyone and let's thank our panelists one more time.

[ Applause ]

If you have any more thing to ask the individual panelists feel free to do so. Sorry we are a little late.

[ End of Session ]


This document is being provided in A rough draft format.

Communication Access Realtime Translation (CART) or captioning are provided in order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings