IGF 2019 – Day 2 – Estrel Saal C – NRI Collaborative Session On Data Protection Resolution

The following are the outputs of the real-time captioning taken during the Fourteenth Annual Meeting of the Internet Governance Forum (IGF) in Berlin, Germany, from 25 to 29 November 2019. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the event, but should not be treated as an authoritative record. 



>> MODERATOR: Okay.  Thank you for being here this morning for the session of data protection.  I will be brief because we are already five minutes behind schedule and I don't believe you need to hear me talk.  So joining us today to discuss this for the introduction are a representative from Korea

(audio is unclear)

>> Consent of the subject.  Practices in Korea (?)

(audio is not clear)

for these reasons in the Government cooperation.

(Audio is not clearly coming through microphone system)

with regard to the scientific research.

(Audio is not clearly coming through microphone system)

>> Hi, thanks everyone for being here this morning.  Talking about the sessions, it was a fierce log before that the data protection were scattered in different laws, such as H.I.V. and STD laws and transparency and political access to information laws.  This law on personal data protection is intended to provide citizens with the legal incident of protection and defense.  This is since the presentation in 2017, the withdrawal and review for the second consultation in 2018 and approval in 2019.  In its content, it protects personal data including those that may create discrimination, such as sexual orientation and data among others.  In the region there is not much difference to Panamanian legislation.  We have some that are quite positive.

First, we have the case of Costa Rica, where since 2011 they have a law on the protection of the person against the possessing of personal data.  These are created by autonomous defense in protection of personal data.  Nicaragua also have ‑‑ sorry.  Nicaragua has a personal data protection law since 2012 which contemplates the right to digital (?) in the case of other countries in the region such as Guatemala, Honduras, Salvador.  Some are currently discussing data protection laws, but in this moment they don't have a regulation for it.

Talking about the issues of Panama, the law was entered quickly and entered into force in the year 2021 and despite being consulted at the working table of the commission in charge of the discussion of this law, many of the Civil Society annotations were ignored, such as extraterritoriality and use of existing authorities with limited capabilities to exercise the defense of personal rights.  This law alternatively does not centralize the legislation of personal data but supplementary law of existing ones.  We need now the active participation of national Civil Society and international support for the data regulation of this law.  As a fact, one of the authorities that we would be responsible for the protection of personal data in Panama said it has a little infrastructure nor the human economic resources to take charge of tasks like this.

While the law takes effect, Panamanians and those that have data collected in Panama are in serious danger.  Recently there was a security flaw where 3.5 million data were hacked.  A cyber hack emergency where (?) denied the leak.  Today, Panamanians don't know what happened with the leak.  Much worse is the ignorance of the protection of privacy and data protection in the population.  This bring us to the importance of population.  For example, a population looks forward to the use of surveillance cameras, facial recognition and other technologies for the propose the national security without knowing the consequences they face.

Even newborns are facing security issues.  They have fingerprints to prevent kidnapping and human trafficking of neonates.  First of all, I think with the IGF, the Panama IGF, we have discuss the level of the multisectional board.  And the opinion of all of Civil Society to replicate the good practices of countries to have a shift more reduced regulation on the subject, such as GAPR.  And finally, Civil Society must create international Coalitions with organizations from different sectors such as L.G.B.T.Q. + and other organizations to occur opinion ‑‑ consider opinions for the protection of systems.  Thank you.

>> MODERATOR: Thank you for this overview for the situation in Panama and neighboring countries.  We will pass the floor to Lilliana for the situation in Macedonia.

>> North Macedonia:  Thank you for inviting me to this discussion to discuss about Macedonia.  I am coming from the country that are not part of the EU, actually and we face mostly with the challenges of not having a strict data protection regime because we are not an EU country member.  That means GDPI is not implemented in the country.  It is a prepared text.  It is part of the text that is going to be adopted but it is very ‑‑ nobody knows when it is going to happen.  So we are implementing the directive of 9546 and for the time being, we have verified the convention 108.  So the main issue from our perspective is whether to comply with the GDPR framework or the convention 108 because in this dilemma we have, on the legal policy framework level.  Basically, the GDPI is one side territorially covering the EU citizens, which is a problem that we have on a border level for border with the entities from the Bulgaria and Greece that we are surrendered as neighboring companies and the protocol of convention 108, which we have not signed yet.

What is happening in the region?  Slovia has the congressional 108, all of the countries in the western Balkan region are members of Europe means that this all presents 108 presents one international legal standard for us that could be applied in the meantime while GDPR is in accordance presented in the parliament and then adopted and implemented in the countries.  So (?) with the regime as GDPR is, I will say that in this country GDPR is more like PR than the GDPR itself.  We find it as urgent issue to have this discussion because it is a dilemma in the region.  How we're going to resolve the cases, if there is a new citizen coming and complaining about data protection violation.  So what we are foreseeing in the country, but mostly in the region itself is somehow when it is the process of entering the EU was very long.  Until then, we are considering convention 108.  A very possible international standard that could lead the way towards implementing protection and prevention mechanisms.

Also from one personal view, I don't agree that it presents some clear let's say mechanisms in some way.  In some technical process, maybe it is more strict and more clear in a way.  The GDPR from the accountability and transparency principles, it complements what the practical does not have.  Our main challenge in the country and region itself is we're not a member of the European Union and we have European Union citizens in the region that we need to think about how we're going to comply with the international standards and the European legislation itself.  Why?  As I said, Greece and Bulgaria are neighboring countries of Macedonia and we have cross border cooperation on a high level.  And we have in this past five or six years increased dental tourism.  Which means that there is a rise of dental clinics in the cross border region that are collecting medical sensitive data from European citizens coming from Greece and Bulgaria in these countries that in the North Macedonia, especially.  So the main dilemma here, is again, how we're going to protect the EU citizens if we do not comply with the EU legislation.  Thank you.

>> MODERATOR: Thank you very much for the presentation and to all three of you for this presentations.

So the good news about having relatively small panel today is that we can open the floor to have a really in depth discussion and more input from different countries.  So we will have questions from remote participants and my colleague on my right here will tell us as they are coming, as the questions are coming in.  So I will open the floor in a short moment to have your comments about what you heard or inputs from the recent legal developments on data protection from maybe the different countries that you are coming from.  And also on your vision for what should be the global standards of data protection.  But before I open the floor, I was asked by the representative from the Council of Europe who had to leave the room for a meeting to raise comments that he would have liked to make.  So he asked me to say that the South Korea Government has expressed desire to join 108 and the Council of Europe is looking to the discussions that are happening and that will go on with the Government of South Korea.

So this was his comment.  And now please take the floor.  So, yes, please.  If you want to, please say a few words about where you come from, who you are you yourself.  Thank you.

>> AUDIENCE: Good morning, my name is Carroll Douglas from Trinidad Tobago.  I am with the authorities from Trinidad Tobago.  I was excited to hear the presentations because in main part, they reflect what has happened in Trinidad and Tobago and maybe to an extension in the region in the Caribbean region where data protection has taken on a new focus, as you may have realized recently, we have been in the center of the controversy with Analytica, if you know, reading the paper, that is an issue even in the United States, their elections are and in the U.K.

So we have been focused recently on data protection.  We have a data protection action, submitted in 2011 very similar to South Korea.  Unfortunately it is not fully proclaimed, which means that the entire act is not in force.  We don't have a data commission.  We don't have recourse, so if there is a breach of the data protection rights, you don't have any remedy per se in the sense that you cannot go to a data commissioner and seek relief from a data commissioner.  You have to take it as a private right and pursue those matters as a private individual.  But to say a data commissioner is appointed and you can seek through that person or office, that is not possible.

At the moment, there is renewed focus on revision of those pieces of legislation, which includes the e‑trans, electronic transactions act, together with data protection act.  And I suspect regulationally it is part and partial to the data laws.  That is 2011 to now.  Technology has far overtaken what would have been written in those laws in 2011.

So given the fact that we now have the GDPR, we have lessons from conventions in other countries, it is an opportunity to revise and revamp the laws to bring it to modernize the laws and probably, hopefully implement or have a data commissioner.  I wanted to mention that.  If there is anything else, I would be happy to comment.

>> MODERATOR: Okay.  Thank you.  Please remember to ‑‑ yeah, thank you.  So, yes, please take the floor.  And also, so of course, the floor is open to comments, but also if you have questions for the panelists, please feel free.

>> AUDIENCE: I'm Luis Castro with part of the GDPR.  I listen from the colleagues here about their experience and different level of implementation of laws, data protection laws, like we heard from Panama, Macedonia and North Macedonia.  I'm quite interested to ask our colleague from South Korea, as a developed country and very highly technical technological country, integrating the RCDA, how is it really affect ‑‑ if the law is really effective in South Korea, and if people in general are aware of the rights and how ‑‑ how the system works in terms of implementation enforcement.  You also talk about imprisonment penalties.  I would like to know if this really occurs and if you have any case that you can bring us?  Thank you.

>> MODERATOR: So we already have one question and one comment from the consequently of Europe, even though he has left directed at ‑‑ to a question of South Korea.  So maybe we'll give the floor back to Mr. Jen yung for a brief answer.  Thank you.

>> South Korea:  I think data protection act has a positive effect on every area of the society.  The people are very conscious of protecting their right and companies shall comply with strict (?) law.  And therefore the level of protection is advanced after implementing the data protection act.  But (?) exist such as the penalty.  The imprisonment.  There is no precedent other countries don't have.

So we have many positive effect and negative effect.  So I think we are having discussion about how to improve our law and secured stability and effective law.  Yes, thank you.

>> MODERATOR: Thank you.  Any more inputs, comments, questions?  Yes, please.

>> AUDIENCE: Thank you very much.  My name is Jimson Alovey.  I'm from Nigeria.  I run an IT business and member of the compliance alliance.  I apologize I came in late.  I know the subject matter is about data protection.  I want to give us a little information, perhaps a number of you might be already aware with regards to data protection efforts in my region in Africa.

April this year, we have the data protection regulation in Nigeria, and it makes some provision to protect citizens basically.  Citizen data.  And for them to be ‑‑ to have the opportunity to give authorization before their data is used.  Of course, data privacy.  And it means the countries are to be accountable and also the legal subject or natural person is protected.  And make some penalties, provisions on penalties.  Like if you are a processor.  Processing more than 10,000 data subs, there is a breach, you have to be liable to about 2% of your gross income of the preceding year.  If it is less than that, 1% of your income per year.

(?) it is on right now.  It is giving way for job creation in the ecosystem.  And there is some current activities.  Some protection for citizen data.

Right now, in Nigeria, the ICT is contributing about 13.8% to GDP, so it is a very serious business.  Kenya, also recently, I think last week or so pass ‑‑ last two weeks, passed the data protection act.  The same provision, but the difference between Kenya and Nigeria, Nigeria have an agency, national information technology development agency, set up in 2001 to at least steer the development of ICT in Nigeria.  It is in their mandates to come up with such regulations.  With Kenya, there is a position to create a commission, with the commissioner to have implementation.  They have those that bridge the act or need to pay some ‑‑ maybe some millions of shillings or so.  But I got it now that I say permission to make it more accountable.  Because appointing a commissioner, if it comes from the civil service, surely it will be compromised.  I think it is kind of a litigation to ensure that the appointment of the commissioner to oversee that is independent.  So when it is independent, it is able to act without any form of compromise.

So this added to regulation or acts on data protection that is within my region that I know.

What I want to ask, maybe I missed some part of the discussion earlier.  Is there a level of collaboration between the GDPR, EU, and the AU, African Union, and of course, Nigeria, Kenya, data authority.  Of course, we know the African Union has a data protection advisory.  You know.  So that is the question.  Perhaps maybe someone can respond to that.  Thank you.

>> MODERATOR: Thank you for your comments and the question.  Is there ‑‑ maybe I will take, if there are one or two more questions, then I will give them back to the panel.

There are no other question, then does ‑‑

>> North Macedonia:  Let's go back to the western Balkans.  I wanted to explain that without having the legal framework in the country and the region presents not only us but the European Union challenge how to deal with it.  Again, in my analysis, and I have previously worked five years for the data protection agency in the country.  And 10 years with the reinforcement for the Ministry of Interior.  What gained insight is mostly businesses and I.T. companies are aware of the need to have a stronger regime and implementation and enforcement mechanisms.  And very much absurd to say, public institutions, although they're huge data collectors and controllers, they're not implementing on that level on a very high level of the data protection regime.

So what we find and what I have made analysis in the previous year is that we do have limitation of data protection officers at a higher level, but we don't have information officers nominated in each entity.  So that presents a kind of challenge but also a threat to the data protection within one entity.  And what intrigued me more is that over 65% of the DPOs in the public and private entities are women.  So what I have done in this let's say intriguing analysis is that why women are mostly nominated as data protection officers are they more reliable on data protection mechanisms?  I don't know.  Let's see.  But I have come to conclusion that maybe we could do some different targeting.

I have contacted the women's entrepreneur organization, invited them to an event of data protection challenges and talks and discussions.  So what we have done is we invited all of the SMEs that are managed by women to actually come forward with the data protection challenge that we have.

So in this world original, my organization is working with SMEs and women organizations that are actually enforcing, implementing all of the GDPR challenges, although we do not have a legal framework.  So we come to conclusion that we can do it although we do not have like past law in the parliament.  But we can technically implement GDPR requirements which have translated into technical requirements.  GDPR on the policy level, the procedures and processes.  But then again, we work with the LCT companies that were more than willing to contribute and develop some ICT, GDPR tools that shocked the women into implementing and enforcing GDPR on a small‑scale level.

That is a way.  There is a sideways always.  But we need to find it.  It is a matter of time when this legislation will you know, come first or come second.  My position this morning, when we discussed, it was that, yes, we have to agree upon one international data protection standard.  What I am hearing from my colleagues here is actually we need to start talking in parallel with the information as well.  Although not EU member country, but very much progressing towards becoming in a very next moment, let's say.  A NATO country.  NATO membership.  So this brings us forward with the cybersecurity regime.  Within the national strategy of cybersecurity, we were forced, let's say to take measures into bringing information security on a higher level.

In a way, let's say that could complement what we are lacking in a technical requirements from the GDPR.  So, you know, we are struggling, but we will be there soon.  Hopefully.  Thank you.

>> MODERATOR: Thank you, yes.  Your message is we can still apply what is the essence of the GDPR even while we are still waiting.

>> North Macedonia:  I have a question, if you allow me.  You mentioned the Ministry of Interior.  That would be an entity or person to address the data protection.  I'm confused ‑‑ but that is not an issue any more, because it is a controversial between ‑‑ I have worked in both sectors.  It is kind of service to the citizens, but data subject rights and the manufacture of interior is the biggest controller of personal data.  But that is resolved, right?  Not an issue any more?

>> MODERATOR: You need to ‑‑ yeah.

>> Can you rephrase the question?

>> North Macedonia:  You mentioned the Minister of Interior is the entity that would address the question.  You mentioned something about it?

>> South Korea:  At this time, not in the past.  I say.

>> North Macedonia:  Thank you.

>> MODERATOR: Thank you.  So we don't have much time left, so I would invite maybe the people from the audience to ask ‑‑ raise some last questions that we'll take together and I will pass the floor back to the panelists to have final concluding words?  So short question, please.

>> AUDIENCE: Okay.  Thank you.  Just a bit on the current (?)  South Korea mentioned something about the prosecution of violations of the data protection act, which I found quite interesting.  You mention it is quite unique you have in your territory the actual ability to have somebody sent to prison.  A custodial sentence.  Other countries may impose a fine, a certain percentage of the gross.  I always believe if you don't have a proper enforcement mechanism, if you don't have a good, strong data commissioner, there is no use in having a data protection law.  It goes hand in hand, if you want to enforce the rights, you have to have a strong data commissioner, DPA.

In your case, I was hoping when my friend asked the question whether or not you have such prosecutions or has your information commission or data protection agency implemented fines or custodial sentences in the past?  To enforce data protection laws?

>> MODERATOR: I would maybe ask, before you can answer, if there are any other questions from the room?  Maybe on the right?  Nobody has asked anything yet.  No?  Okay.  I will pass the floor.  Bit of interest in South Korea today.  I will give you the floor to answer the question briefly, and then a final round for concluding remarks.  Thank you.

>> South Korea:  Data protection in Korea sentenced and fine.  Not imprisonment.  But regulations that are parallel should have prison theoretically.  But usually have the funds.  The criteria between the implement and fine is not clear.  Is not clear.  But so usually, usually, we can dedicate ‑‑ take the fine, not imprisonment.  Yeah.

>> AUDIENCE: (Off microphone)

>> South Korea:  Fines, penalty, fine.

>> MODERATOR: Thank you.  So a lot of things to talk about.  What's striking is that we can really see the feeling in this room, how data protection is ‑‑ more and more countries have data protection laws.  If we had this session five years ago, it would have been a completely different discussion.  This is really interesting, according to Green Leaf, 132 jurisdictions have adopted some sort of data protection.  That includes United States in his list.  I would have had questions for him, had he been here, about what type of things included in the list.  We could look at the content as well.

There seems to be a high degree of convergence nonetheless.  We will pass the floor back to each of the panelists and brief concluding remarks.  Perhaps what the take away message from this session can be.  And so there were questions.  In this session, what do they see looking forward as being able to form the basis of the global standards of data protection worldwide.  So first, maybe Mr. MSS, if you want to say a few words.

>> Panama:  Thanks Julian.  I would like to say Panama and the whole central American region, at the NGO where I work, the region is working hard, trying to deal with data protection.  It is something new to all the citizens.  Also for the Government.  We do need help for organizations, other regions, their examples, their experiences to put pressure on our politicians and policymakers as well.  None of the countries in the region have a certified convention 108, for example.

Commonly being very small countries between two major lands, North America and South America.  We forget in the making, we do exist.  Appreciate spaces like this to expose our situation and be realized in our struggle.

>> MODERATOR: Thank you.

>> North Macedonia:  It is either EU, Council of Europe.  Not belonging in some regions or communities.  I would increase the possibility to foster and develop economies.  Because not having data protection subject rights, regime and data protection regime implemented as GDPR will impact the countries and the regions, especially in economic growth and development, especially when you are talking about cross‑border cooperations.  So I would support my colleague from Panama suggestion to have international or we should gather like this multistakeholder approach from Civil Societies and Governments also to include and to adopt one global standard from data protection.  Also, I would increase this let's say suggestion to have financially independent data protection agencies or self‑regulatory authorities that would mentor and actually mentor the subject rights enforcement.  It is very important to have independent self‑regulation in the countries about data protection regimes in order not to supplement this penalty or imprisonments or, you know, what different strong techniques.  Thank you.

>> MODERATOR: Thank you.  So if I understand you correctly, so that it is necessary to have maybe a convention, which might be different than convention 108, but at least some sort of document that would serve as common ground.

>> North Macedonia:  Not a new convention, enough conventions, but to increase the level of independency of countries in the body.  Whether it is an data protection Ombudsman or data protection agencies or different bodies in the country that regulate data protection regime.  We need to increase financial independence to monitor more the data protection subject rights.

>> MODERATOR: Okay.  So global centers are important for enforcement and for that we need to support strong and independent data protection authorities.  I think this is a common ground for many of the questions that were raised.  That is maybe something for the report that we can include.  Thank you.

So last, but not least, because there is an increased interest in South Korea.  Mr. Yung for the final concluding words.

>> South Korea:  Very pleased to hear the information that our Government is considering to signing the convention 108.  And studying the issues that are returning home.  Yeah.

My concluding remarks is personal data is a human rights that is properly protected resource.  And needs to help industry development and personal convenience.  There is a (?) that Koreans are facing.  South Korea had been under military regime for a long time, there was many human rights issues in those days.  Since personal information can be a tool to strike at specific individuals, many Koreans are concerned that the use of personal data by the Government and corporation may cause the human rights of users.

This cultural and psychological obstacle must be overcome.  I think the point about Korea data protection is positive in general.

So the presentation should have been used in many ways to protect it properly.  Thank you.

>> MODERATOR: Okay.  Thank you, that is impressive.  I think this is the first time we have been to any country, especially in Academia, we finished with one minute and 54 seconds left.  Please join me in thanking the panelists for the extraordinary performance and insightful contributions.  Thank you.