IGF 2019 – Day 2 – Raum I – WS #236 A universal personal data protection framework? How to make it work?

The following are the outputs of the real-time captioning taken during the Fourteenth Annual Meeting of the Internet Governance Forum (IGF) in Berlin, Germany, from 25 to 29 November 2019. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the event, but should not be treated as an authoritative record. 



>> STEPHANIE LI:  So hello, everyone.  Just to briefly introduce myself, I'm Stephanie, so currently I am an Ambassador representing DotAsia organization.  It's like youth engagement organization.  First of all, welcome, everybody here.  Our workshop is focusing on to build a universal data protection framework focusing on personal data in a crossborder context.  We are very lucky today that we have as many speakers, so let's just like introduce themselves.  So from the left‑hand side, we get Jean.  Jean is the founder of the IO Foundation which is dedicated to protect our digital rights.  Welcome.  We also have Jaewon here, a committee member of the Korean Internet Governance Forum program committee.  She is a very strong speaker here.  Next we have Renata, she is an international human rights lawyer and digital rights advocate.  She is currently the director of the International Smart Citizen Foundation, mostly operating in Latin America.  Next we have Peter, currently working at the data protection unit of Council of Europe and is responsible for the implementation of global data protection Convention 108 Plus, which we will get more deeper later.  Next to Peter we have Lih, representing working at Google, and work as public policy department, so he will talk more about how the Asian region is working on the data protection.

Next we have Charles Mok, we have a legislative councilmember representing the information technology at the Hong Kong legislative council.  Now we have different stakeholders.  I hope you guys will enjoy today's session.

I think I lost ... (pause)

Here is our speakers.  Next will be all the organizers.  We want to put a page here because their efforts are also appreciated.  Actually we would like to start by Peter to sharing more about how the Convention 108 Plus because many people talk about GDPR, but they forget there is another more visionary framework about data protection.  Thank you.

>> PETER KIMPIAN:  Thank you very much.  Good afternoon, everybody.  Thank you very much for your organizers having me here on this panel.  This is great interest from my organization to participate at the IGF especially in these kind of workshops, where we can discuss the construction of global data protection framework or global protection for individuals.  The Convention 108 is the only legally binding international convention on data protection.  It has been open to signatory 9081 and although it's Council of Europe convention, it is open to third parties.  As of today, we have 55 parties joined to it, 47 member states of the Council of Europe, out of which 28/27 may be of the European Union plus eight countries from all over the world have already joined the convention.  There are much more observer to the work of the convention, as well, gathering states from across the world and also organizations which are interested in a global reflection on privacy and the right to privacy, and to data protection.

As it has been already said, we hear a lot about GDPR, and maybe it's one of the weakness of the Council of Europe to not making that much of advertisement or outreach to the world, but it has been changing for the last couple of years.  We tried to primarily reach out to Government from all across the world, and to regional organizations which are having the aim to protect privacy, and we have some very good relation already established in the Latin‑American region, in Africa, but we, and I can say very openly, basically completely missing any context or meaningful interaction with the Asian region.

We also have some challenges with implementation of the convention, because as I said, this is a convention which has more than 40 years, so it needed to be modernized and to be updated, to be able to tackle the challenges from the digital age.  This has been a very long and complicated process which lasted 7 years for us, and imply thorough and detailed negotiations including with European Union itself, which is not a party to this convention, but an observer to it.  But as I mentioned, the all 28 member states of the European Union are party to our conventions and data protection as you may know at the European Union level is a com policy so they had an interest to negotiate on behalf of the member state and they got the mandate for it, in a way to ensure that which is accepted at the international level is fully in line with international, with their national legislation, meaning the GDPR and the directive and I can tell you that's not an easy task but we managed it.

Last year, we reached an agreement, and all parties have accepted this agreement, and signed to it.  And current, and the new protocol which will bring this modernization into practice was open to signature last year in October 10th, and as of today we have already 35 signatures to it.

We recently learned that two of our parties have already adopted national legislation for the ratification.  So it's a matter of diplomatic procedure, and the protocol will enter into force for this, not enter into force but we will be, it will be ratified already by two of our parties as of this year, which is I believe a fairly good representation of a very high level commitment, political and legal commitment of Governments that we are working with, that they also are party to our convention, in bringing this modernization at the very high level.  Why is it so?  What are the reasons, arguments behind, because the convention has two cornerstone to building, main building blocks, and it has so since 1981.

One is the protection of individuals, of course, because right to privacy is a universal human right.  But the other is to ensure the free flow of data between parties which is very much needed in our digitalized society where Internet is becoming a critical infrastructure, I would say, and is becoming a tool for our society, for our economy, for our politics, even for our Democratic institutions.

So it has been tested throughout the time, and it has been proven very flexible, and adaptable to all needs and national specificities, with always have aim to ensure the appropriate level of protection of individuals, which is also, as I mentioned, now recognized by European Union as being in a way compatible, the one that the European Union would require for states to get in commercial or other types of relation which would imply the free flow of data within the state and the internal market.

The other challenge is the implementation of the convention, and I'm again very open here, because in the hand of the committee which is responsible for the implementation of the convention we don't have anything right now under this current regime, which means that a party has got evaluated, while acceding the convention, but after this we don't have any mechanism in place which would measure or which would assess the implementation or the level of implementation of this country but it will change with the modernized regime, and the committee will have a very, they will receive a very important power which will be the monitoring and the follow‑up mechanism, which will be put in place, similarly to other committees that we have the Council of Europe on money laundering, trafficking in human being, on corruption.

So the privacy committee will also have this monitoring power, which would result at the end of the day, we believe, in a much more harmonized way of implementation.

The third challenge we have, I would say, is really the lack of information, and the difficulties to reach out to interested stakeholders, and it is especially relevant and it is especially the case in the Asia region, and in the Asian countries, and in Asia.  We have practically no established and continuous relations either with countries or with Asian itself which is in a way we believe a gap that we need to fill in the future, because we think that the construction of a protective framework for individuals, while guaranteeing the free flow of information which is in essence today in our society would need at least a pragmatic dialogue and exchange of views with countries.

But it is also, situation is not that dramatic, either, because some countries have already approached the Council of Europe and especially our committee with a wish to explore possibilities of accession to the convention.  And we have especially South Korea, for instance, with which we are working very closely together, and has very bright and imminent prospect of possible acceptance to this convention which would also be interesting because this country approached us while being discussing the decision with the European Union, we also have this kind of parties, Argentina, while having a decision from the European Union guaranteeing free flow of information between them, between Argentina and the internal market of the European Union, they decided to accede convention and they were in the first row, were among the first to sign the modernized, they wish to remain within this club.

So I will stop here.  There are different interesting aspects and elements regarding this convention, how it could play a role in Asia, we believe, and I'm very much open to discussion.  Thank you.

>> STEPHANIE LI: Thank you very much.  So we have a very interesting insight of how the essence of Convention 108 Plus is and what are the challenges facing.  Before moving on to discussion, I would shortly introduce how we are going to work out, so we will start, we are having two round table discussion, so after the panel discussion for ten minutes, we will open to the floor.  So get ready for the questions, if you have any.  Our first round table discussion, so we will want to see what are the fundamental principles and also what are the difficulties when we are dealing with personal data in a crossborder context.  First I would like to invite Lih to talk more about how the Asian region is working on data protection.

>> LIH SHIUN GOH:  I think most interesting here is a lot of things Peter talked about, is also very relevant to the conversations happening in the southeast Asia region, for those who are not familiar to southeast Asia there is a regional group called the Association of Southeast Asian Nations, ASEAN for short, ten countries, Brunei, Cambodia, Vietnam, Malaysia, Laos, Indonesia, Myanmar, Singapore, Philippines and Thailand.  It is a way to group the ten countries together to think about their growth as a region.  They are bounded together by quite a lot of commonalities, 700 million people strong, and very young middle class growing and entrepreneurial but at the same time also diverse in terms of language, culture, as far as economic development, you have developing countries such as Laos and Myanmar and advanced countries such as Singapore, Malaysia, who have in place some data protection laws.

What is interesting here is the grouping of the ASEAN nation came together to think about what can we do about cross data flows.  I speak of this in the sense that the digital economy in southeast Asia has been growing rapidly, partly because of entrepreneurs and because of its young population, it's online population, spends a lot of time on line.  From that perspective the two points Peter raised about one point about importance of privacy on line, data protection on line and importance of crossborder data flows are exactly the two pillars of conversations taking place in ASEAN.  The governments understand that as users are online, they need to make sure there are rules in place to protect their information on line, protect from scam, from phishing, scamming, but at the same time we notice a lot of setups are starting to grow and how they are going to export their services and help and be in touch with the rest of the region.  ASEAN as a grouping has agreed to work as an economic block and engender economic growth, societal growth within southeast Asia.  This piece around the economy becomes very important for them.

In 2016, the grouping agreed on a framework for personal data protection, they started with that, with a view that how do we engender personal data protection within ASEAN and that has evolved into another framework called the digital data governance framework as foundation on how to think about protection of personal data protection in ASEAN followed by how to use that to facilitate crossborder data flows.  The view is you can protect personal data on line.  What is interesting is two months ago in Laos, the 19th ministers meeting in Laos, the ministers agreed for the region to work on a crossborder data flow mechanism, detailed mechanism to facilitate crossborder data flows within ASEAN.  Part of that is thinking about how to create a mechanism that is not too heavy, in a sense they want to make it such a way that business friendly but still very data protection centric at the same time.  We need to, another challenge to think about, how do we do it in a way that is helpful for countries where they don't necessarily have a data protection regime in place yet, how do we help these countries think about data protection and how do we help them on this journey towards putting in place a strong data protection framework for the users in the countries, while allowing the setups and SMEs to think about export and think about the ASEAN growth.

A lot of this, there are documents published on line by Secretariat to look it up on line.  I want to raise this because it's important to note, there is no common thinking around this topic of data protection and crossborder data flows across the countries.  One important output we might want to think about and ideas they want to share today is how do we facilitate more these conversations between regions, so that regions can learn from each other best practices, as well as think about how they can harmonize or at least have some consistent data protection framework, just for compliance or to facilitate crossborder data flows.  Thank you.

>> STEPHANIE LI: Thank you.  We have observed that actually the importance of cross data flows has been getting stressed for quite a long while.  I'm thinking if Jaewon, can you share more situation about developing countries as well.

>> JAEWON SON:  Hi, this is Jaewon speaking.  So before getting started, I'd like to talk about my background, about this position, so I'm currently working at the international fund for culture development and I have a development background.  When we talk about these issues, I like to talk on behalf of what does these developing countries facing of.  Before talking about how can we have universal data protection, we should think about the developing countries first.  Some people don't know about what is data protection, what is their privacy right and the human right.  Before getting started about this universal acceptance and everything, we should first raise awareness of why this is so important and what is it about to the developing countries.  According to the data, there is a 1 percent of the countries around the world who doesn't even have regulation or laws for the data protection and most of them are from developing countries.  Without having the proper regulation in their own country, we wouldn't be able to have the universal or unified regulation around the world.  That is the first thing I wanted to mention.  While we are looking for, what is the main reason that they do not be able to have proper regulation for their own country, it is not only because they don't have funding or human resources, but also because there is a lack of guidance, when they are about to make the law and legislation, the inconsistent law happening in the low court.  For example, when there is like a human right violation occurring around online when it comes to the court, because the judge and the lawyer do not have accurate regulation about how they are going to be able to judge on specific privacy laws, it depends on the lawyer or judges when they want to say that it happens without equal kind of judgment, so for the Government perspective or the international organization perspective, we need kind of guidance for those developing countries to have their own kind of awareness and more relation on their own country first so they are able to join our discussion on how we can have the universal discussion or together to have the data protection.  That's it.  Thank you.

>> STEPHANIE LI: We have gone through first of all a data protection convention and some other challenges, and some more situation on how in the developing countries are facing, and also how is the situation in ASEAN region right now.  So before giving to the floor, I want to know if anybody wants to ask something?  So yes, after going through different situation and the current framework, I'm wondering does anybody here want to ask some questions or respond to the panel, or responding to the policy questions?

>> AUDIENCE: Hi there, Lawrence Kay, Open Data Institute.  We were cofounded by Tim Berners‑Lee and work on data in trade.  This is already the best data session at the IGF this week, so congratulations.  The discussion on data protection is very important, but often happens in the absence of the combined innovation that comes through data sets and sharing data across borders and the way that you have discussed your regulatory cooperation in ASEAN with regard to respecting both data protection and the potential through trade sounds really impressive, and it's impressive because it's very difficult to have those structured productive conversations about such sensitive topics with regard to data and innovation.

My question is quite broad.  I'd love to know more about the fora, mechanisms, conversations, the communication tools, the agenda setting that you have used in ASEAN to come to the agreements and frameworks that you clearly have.

>> STEPHANIE LI: Okay.  So maybe we will ask one more question before, yes.

>> AUDIENCE: I'm Claus, to my understanding, the ASEAN move is more towards Cybersecurity approach, and how much is the role of actual data protection in it implemented or being implemented.

>> STEPHANIE LI: Okay.  You want to respond.

>> Sure, I want to tell you I'm not a Government official so I can't speak on ASEAN, on behalf of ASEAN, but what I can do is share with you what we have heard so far based on our engagements with the ASEAN Secretariat.  I'll take the second question first because it's easier to answer.  As far as I know, the Cybersecurity track is a separate track from the data protection track, because Cybersecurity track is more around things around malware and certs whereas data protection track is done at the telecommunications Minister level, so focus on how we think about trade and how do the Data Protection Commissions themselves within ASEAN work together as an organization.  I think that is one of those challenges they are trying to work out this point in time.  The first question, how it came about, it's a journey.  It did start with a view that they wanted to think about data protection on its own.  I think a lot of it came from the fact that as a region, ASEAN wanted to be an economic community, thinking about how does it enable the flow of people, flow of trade, to enable economic and social growth.  From there, it became a building block.  I can read out in some sense what the framework and the values is based on.  That is a really important one because it provides the foundation on how the Governments talk to each other, and directionally how they are going to move forward.

In terms of the values that they are looking at, the guiding principles for data protection in ASEAN is, one, consensus driven bottom up approach based on accountability, an approach that allows organizations of all size to participate.  I particularly like this point because we forget about the small players a lot of times.  A approach allows participation by all ASEAN member states, this point goes to how we involve developing countries that may not have expertise, and interoperable approach that strives for integration with other regional frameworks, that will be useful for Council of Europe in this case.  And ethical push that promotes transparency and respect among all ASEAN nations.  This is how the region, it is not a fast way to get things done, but it is approach that allows everybody to move forward together, and be aligned in terms of what they want to achieve.  The members are very happy with that.  As a result, there is a lot of discussions, a lot of engagements with industries.  They do invite industries in frequently, apart from industry players like Google and SME associations that represent SMEs across southeast Asia, they also involve people at the GSMAs, people from other nations, they involve governments from Korea and Japan and it's a lot of conversations.  You start building text you can agree with and working from a roadmap.  They have a working group that looks at details before it flows up to the Minister level.  If you would like more, I'm happy to chat with you off‑line.

>> STEPHANIE LI: Okay.  So do you guys have any more questions?  Yes, please.

>> AUDIENCE: I come from Switzerland, representing large enterprises.  My question is, a few years ago with the APAC data privacy initiative, was the most interesting initiative in the field, what happened to it?  We didn't hear much about it.  Nobody talked about it today.

>> Okay, because I know as well it's related in some sense.  It is still very much alive.  The Philippines and Singapore has made intentions clear they will be part of the APAC framework and some companies have started to register themselves under the framework.  I think there are challenges with the CCPR framework in terms of the process it takes, it can be intimidating for countries, and particularly for ASEAN, not all ASEAN economies or member states are part of APAC.  In that sense from a values perspective it is not that inclusive in that sense for all ASEAN nations which is why I think they have also included the piece about interoperability.  The ambition is hoping to see once we develop the ASEAN framework they can work with other regional blocks to figure out how do we help achieve this consistency across regions.  What is the mechanism to allow, to spread this framework that they have, and link it up with other similar type frameworks.  I will say that for APAC, I do hear they are still of interest, Japan is still very much a champion for APAC CCPR and so is Singapore and Philippines.

>> STEPHANIE LI: Okay.  So it seems like ‑‑ okay, this gentleman.  Thanks.

>> AUDIENCE: Hi.  Representing United Nations university, unit based in Portugal.  My question or my comment in this area is, do you think that as far we are going with this adoption of new legislation for data protection around the world in the countries and all this original initiative, do you think that we come to a moment when, because more of the laws more or less look the same, all the principles are more or less harmonized and recognized by all the countries, do you think that we come to a moment that United Nations should take the lead in this area, and start working on some universal convention where all the countries around the world will be able to join, and then we will have universal standards adopted and recognized around the world, which will also facilitate all of this crossborder exchange of data and data flow.  Thank you.

>> I try to respond.  Yes, of course, that is very logical thinking, that it would be very natural flow, that to see it happen, but to reach consensus on, even if legislations are kind of looking alike but I would argue also that they are pretty much provide the same, there are 146 out of the world, they are, not all of them are alike, especially in very important aspects, and to reach consensus you need lots of negotiations, lots of time, lots of energy.  Although there are initiatives at the UN level, but recognizing the, making a realistic assessment of the situation, even UN Rapporteur on the right to privacy recommended in its report to UN Member States to accede Convention 108 Plus for the time being, because as he sees in a near future under the UN, it will be nearly impossible to agree to a convention which would cover all UN Member States.  And for the time being, we have one convention which is open to anybody.  We have this accidentally and I can tell you the history behind this, but this is a fact now.  And why not use it?  We have done already 40 years of job for you, I mean for future generation, that you can spare joining this, and I can of course explain this in a more academic way.

But there is a wish and there are reality factors that you need to consider.


>> AUDIENCE: Hello.  My name is Douglas from Trinidad and Tobago, executive officer of legal and enforcement at the telecommunications authority of Trinidad and Tobago.  Before I start, I want to recognize the five young people at the end of the room there, which I'm so impressed to see young people engaged or interested in these discussions, it's very good for the future.

But in response ‑‑ yeah.  They definitely deserve a round of applause.


For their attendance and hopefully next ten or 15 years, they will be at the head of the table.  In response to questions as to the UN, I think the question is a great question, logical question as you rightly said is whether or not it will engage the multistakeholder process, because governments can be accused of making policies in absence of consultation.  If you have the United Nations, for example, providing you with a document, having got this document from different governments, the first question somebody may ask is, did this or have these governments consulted with the relevant parties and private sector, the business, academia and so forth, through multistakeholder.  So when you make a model, when you have a model coming out from the United Nations, it then questions its legitimacy, does it have the support let's say of wider populace which we are meant to be governed by, if you are going to be governed by the data protection act, has it gone through the rigors of that consultation process.  That would be my one concern.

But I think on the practical point, if that is done, we assume that the governments will do the right thing, then I think it's a fantastic start.  It's something that you can consider.

>> AUDIENCE: Hello, this is Hassan.  If I understand correctly, you mentioned, you talk about 1981 convention, between the European Union and member state and the modernize that convention.

I wonder, is it possible for you to give us, how the European Union, yeah, the convention is different, European member state and it's regulate how the data protection is like the European Union, so but my question is regarding how European Union deal with the data protection outside the European Union, if that gives us sort of lesson, how the other state can, because the other state also have regulation inside their country, but they are worried about the protection of data outside their country, how they can, how European Union deal with this issue.  Thank you very much.

>> PETER KIMPIAN:  Yeah, so I have to say a few things in advance.  I do apologize in advance because we here in Europe, we are overly complicated when it comes to institutions, and this is how it is, in this respect as well.  The European Union is a regional organization basically created to establish an internal market between the countries, and grow out of this and had some com policies and has 28 member states today.  The organization I'm working for is not the European Union.  It is the Council of Europe, which has been created after the second world war to promote rule of law democracy and human rights and to prevent that the continent falls again into war, and to promote stability in the continent and outside by their open instrument as well.

All our treaties and conventions are based on the Vienna convention on the law of treaties, so these are considered, these are international common law.  We also are working very closely with the European Union as we have common interest.  We have common actions.  But we are not the same organization.

Of course, it will be very difficult for me to speak on behalf of the European Union here, but what I can refer to and invite you to read is a strategy communication from the European commission to the European Parliament and the European, the U council from 2017, where they outlined their strategy for the future, especially on the question that you mention, how they see the external part of their policy on the protection of privacy.

And in that, they make clear that in recital 105 of the GDPR, there is a specific reference to the Convention 108 by saying that the European Union has to take into consideration the partnership that a country is party to Convention 108 when measuring the level of protection that the country can afford to personal data.  So it would not mean an automatic decision from the European Commission side, but it is a very heavy fact that they need to consider, that also the legislature consider, it is important as they put it into the GDPR itself.

So there are lots of commonalities already, but the construction that our leaders have imagined for more in a global level would be achieved when the modernized convention will enter into force, allowing also international governmental organizations such as European Union to accede the convention itself, and in this strategy paper that I refer to, the commission puts forward that it has the intention and it has the strategy policy to accede to Convention 108.

And then it will become party, European Union will sit at the table as party to the convention, and then how to say, the construction of a protective framework which I was referring to throughout the convention can be expanded further.

>> STEPHANIE LI: Okay.  So since time is running out, so I would briefly summarize what we have just discussed.  Actually we talk about many of different examples in different countries.  What we can see is very important here is that each country, they should have mutual trust in terms of crossborder data transfer, and meanwhile, there are still more cooperation and conversation are required.  What are difficulties that are facing us right now, first of all, lack of information and it's difficult to reach out to different stakeholders, especially the Government, and we sometimes, for many developing countries or underdeveloped country they lack the funding to support it.  And also it's, most of the time, a very long and complicated process to actually come to a consensus and conclusion, and eventually to a framework.

Next, we will give the mic to Charles, he will talk more about his idea on this topic and meanwhile, we will move to the second part of our discussion.

>> CHARLES MOK:  Thank you very much.  I'll introduce myself, I was the founding Chairman of the Internet Society in Hong Kong.  Before that actually I started and ran my ISP business more than 25 years ago, and now I am a member of the legislature in Hong Kong.  So I moved to become a useless politician.  (chuckles)

So, what I want to say in response to the questions and also the presentation was that because probably, the problem that I see is that maybe I am a lot of times very much engaged in looking at the legislations and looking at enforcement and issues like that.  My question is, first of all, looking at universal data protection framework is definitely very important.  But how do we do that when many of the countries or jurisdictions do not have good privacy or data regulations to begin with.  How do you harmonize them.  They don't even have it.  Many of the countries don't have it or for the countries that have it like in Europe, actually even the United States don't have real privacy laws.  They are just starting to do it with California.

So I'm not trying to say that setting up the ideas for framework is not important.  Actually it's very important.  But we have to put it into perspective.  What is the real use of having such a, what can you accomplish with such a framework.  Now coming back to Asia, I think it's very interesting to me what ASEAN is doing, what Lih was talking about.  But of course, Asia is still very big, right?  ASEAN is one part of it.  But and maybe some of the jurisdictions and the legal framework they can align it better, because of the facts that they are basically one free trade area, actually more than that.  ASEAN is, the relationship between the countries, even more than that.  So I'm starting to think from a legal perspective, is it worth looking into for countries that are establishing these free trade agreements, that they actually put data related, privacy related issues as part of the free trade agreements.  Sometimes they are negotiated individually between countries, or sometimes with a whole region, you know.  Of course, free trade agreements these days are probably taking a back seat or backtracking because of the Trump administration, but that is another matter.  That probably won't last forever.

The other issue is about people mentioned about the GDPR.  It's interesting that we all look at GDPR and we think that this is very advanced, covers a lot of areas and it is not just talking about privacy but also talking about data, the concept is moved from talking about personal privacy to data regulations.  And even in some ways, regulations over algorithms.  So this is to many other jurisdictions like including in Hong Kong very progressive.

Now the question is, in some ways, for us in Hong Kong, because our law is rather backwards, and there is not enough teeth in the regulations, sometimes we even imagine, some of our companies that get into big trouble with leaking data, like Cathay Pacific, our Government cannot fine them, cannot punish them.  Maybe if the European Union can do that for us we actually would be quite happy.  But I mean some of us in a sense would think that.

We know that many of these countries are talking about cooperating, our privacy regulators we know that every year they have huge conventions, sharing a lot of information between the regulators.  But I have to also caution that a lot of times these data protection laws, regulations, are very political locally, because of many stakeholders.  You know, and a lot of times I think the Civil Society participation is not enough, because these issues are both consumer issues, they are also human rights issues, and also they are commercial issues.  They are becoming more and more complicated, especially for example using one example, we started also mentioning talking about the crossborder data control, data flow issues.  It is actually, it can be highly controversial.  I use the example in Hong Kong, Hong Kong and China mainland are actually two different tax regions, two different legally in terms of privacy law, definitely two different jurisdictions.

Our regulations in Hong Kong when they were passed on personal privacy back in 1997, actually had a section about controlling data flow outside of Hong Kong.  But that part of the law even though it was passed was not enacted, even now.  22, 23 years later.  The reason is because if they start to control really crossborder data flow, they have to set up a white list and a blacklist.  Where do they put our mother country, do they put our mother country as a blacklisted country or white listed country?  That is the kind of law, I'll use it as an example, I'm not trying to criticize anybody, but just using this as an example of the locally political issues that can be brought up for, when you talk about crossborder data flow.

And also, from my technology background I do see there are more and more controversial issues relating to crossborder data flow or concerns because of the advance of cloud technology.  Those big cloud companies would have a lot of opinions about many of these restrictions, because it affects the way that they do business or the way that they conduct their technology.  What more do I have, do I want to say?  One final thing.  I also remember, I think it was Lih, you mentioned also about the relationship between the data protection laws and Cybersecurity and so on.  A lot of times I think we also have to remember that in some countries where the confidence in the public or in the Government is relatively low, whenever you talk about data, it is something that is very sensitive.

These days more and more people do not want to have their data actually gathered or shared by the Government.  Once you talk about Cybersecurity, that can be even more controversial.  I would see a number of countries or jurisdictions in Asia having passed recently Cybersecurity law that basically are becoming tools of surveillance for the national Government.  These examples include China, Macau, Vietnam and so on.

I think from the concerns of the Civil Society, human rights organization perspective, there are a lot of concerns.  So while we might be very, trying to look at it from a legal or data protection point of view to start with, I don't offer any conclusions.  I only offer that this is a very complicated issue.  So more training, more understanding from the Civil Society and the population would be very much needed.

>> STEPHANIE LI: Okay, so thank you, Charles, for your remark.  So we now move to our second round table discussion.  So okay, before watching the questions, so maybe from a human rights lawyer perspective on this issue you can add.

>> RENATA AVILA:  I wanted to address also what can we do locally, because as a law in a developing country would take like ten years, and somehow as you were saying, the trade agreements move faster sometimes than the local legislation, and then you have to implement.  What moves fast is when developing country has the pressure of the big actor to legislate or to implement an agreement, usually from the experience of the IP laws in Latin America that is what happened basically.  And it's a good history to read, to not repeat the mistakes that we did with copyright regulation.

What happened was in the late '90s a lot of trade agreements were signed, and we really developing countries tied their hands to have legislation, there was logic underneath, developing countries need more exceptions and limitations to copyright, for example, to improve access to knowledge and so on.  Similarly, I think that with the data, we need to prevent ourselves to get, we need to protect our privacy of course, but we need to do it in a way that is doable, that is effective, not to commit ourselves to a system of criminalization and regulation that cannot be implemented locally.

What I want to say is, lately, I am hearing a lot, a big push to adopt in small countries that do not have the personnel able to even understand the minimum, a big push to implement GDPR as the standard.  I worry a little bit about it, because it will happen, one size for all is not adequate for this kind of policy.  Some developing countries have to adopt data frame that will benefit them, and what we have now is the two streams, a big push for some countries leading and one to connect the next billion, a big push to deregulate, to liberalize the data, to have very relaxed regulation and enforcement and on the other hand, the European approach with the GDPR.  I think that in between, we need to find a good frame to regulate data protection and data flows for those developing countries that will not have the money to implement the big infrastructure that the GDPR requires.

So for that, I think that I agree that the European, the European council, sorry, Council of Europe frame is the most adequate, because it can be localized domestically following logic that is according to the needs of the country.  And also we have in parallel, because that also will take time, will take efforts, will take a lot of advocacy, which is already happening, but also we have three alternatives.

We can strengthen regional consumer protection frames.  I think the best, actually the starting point, many, we are rushing into like data protection authorities in some countries, there is not even a consumer protection authority, and that goes hand in hand.  I think that a robust consumer protection frame can benefit a lot of these countries left in the middle.

Also, strategic litigation, I'm very fond of strategic litigation when you don't have the legislation, you push for rights using the human rights frame, for example, human dignity, discrimination, you can find right violated by data abuse, it doesn't have to be data for the sake of data.  You can find an outrageous case of human rights violation, and push the court to examine it and to order in some countries, it's possible that the court orders a matter to be legislated.  That can be a quick creative way to get that data protection activated.

The other is standards in industry, I think, I mean if we wait every country to regulate that for seat belts in cars, we still would be with different levels of protection in different countries.  These kinds of issues, I think that the industry, pushing the industry and advocating the industry to have privacy by default and privacy by design and stop designing and deploying things that are obviously harmless in Europe for the privacy of citizens and pushing for that kind of law and standards, and demanding as consumers and demanding as citizens that we are treated with the same respect as European citizens, stop using the products and services of companies that treat users differently according to the passport, I think that that is a good step forward.  Why?  A company, a tech company will have different protection for some users and different protection for others.

We all deserve the same respect and dignity.  I think that a global company especially is following the same logic as pharma, you have for example the same regulations for medicines and those who are like handful here, handful everywhere, so following that approach, I think that we could speedy protect those countries that even without common data protection frame.

Those are some ideas to play with.

>> STEPHANIE LI: Yes, so talk about more steps to fostering universal data protection framework, so I guess we still need to hear more voices about Civil Society.  So Jean, can you add some more idea on this topic on how we can design a framework?

>> JEAN QUERALT:  Hi, Jean from the IO Foundation.

When we are talking about data, all the sessions I've been attending during the whole IGF, there has been this recurring buzz in my head that has been concerning me.  I would actually like to do a small test in the room.  We are discussing personal data, right?  I'm going to give three options and I would like people to just go traditional and raise hands, what do you think personal data is?  Making the emphasis on personal data, is it A, me, is it B, a Lego block that allows me to build all the stuff, or is it C, I got no idea, I never quite thought about it.

Who would say A?  Who would say B?  A Lego block.  And who would say C, I never thought about it?  Okay.  I'm glad no one is raising their hand there.  Option B does concern me, because that is sort of what we are experiencing right now, this emotional disconnect between data and what it represents.  That is at the core of all the issues that we are having, when are we going in this way or that way.  I'm not sure we are understanding what data represents.  Data is always contextual, it does not exist outside of the context of our own collective delusion about certain value meaning something.

That basically implies that it models something.  It cannot be considered only specifically we are talking about personal data, it can be considered just a Lego block because it is you.  It is a measurement of has to do whether with your physical appearance, with your emotional state, anything that has to do with a black box that is your brain, your activities, etcetera.

It's very interesting that we would have a lot of issues when it comes to human trafficking, but we have apparently no problems with data trafficking or moving data back and forth from A to B without really understanding whatever the consequences of it.

That is why the contributions are usually, I'm trying to wrap my head around and see if I can get some more inputs on that.  There is another big issue that it's typically not very much faced in this sort of conversations, we focus a lot on policy, like way too much, and very little on investiture.  That is a big mistake.  Let's say Apple, I don't work for them, I can criticize them a bit.  Anyone who uses an Apple device and buys for instance an album on iTunes, you are not essentially buying the album anymore.  You are licensing the album, that is why they sell you a license, that license allows you to install that album in devices according to their business model, you can share with a number of people, etcetera, etcetera, etcetera.  Let's imagine for a minute that you are really interested in a very specific Indy type of music and Apple decides two months later that is not enough money for them so they are pulling out of the catalog and they do so.

What happens immediately?  It will be removed from the devices, it will be removed from any of your friends' devices where you have shared.  It's transparently for them and for us as well.  Why can they enforce that?  Because they do have the infrastructure.  They are closing the loop.  They have their policy, which is their business model, and they have the infrastructure to enforce it.

They don't have to concern themselves whether data is deleted or not, it is done transparently for them.  When you turn the table and look at public management of data, all that we are doing is always thinking about advocacy, issuing regulations which is good.  I'm not complaining about that.  It's just we are not protecting our citizens with the infrastructure that will observe and implement those rights by design.  We are not closing the loop.

>> STEPHANIE LI: So, Jean just mentioned a difficulty that the fact is many people now fail to recognize the importance of data, and how this is related to the rights and to even their property, even their identity and also the lack of infrastructure.  Before moving to opening the floor, Jaewon, do you want to add something?

>> JAEWON SON:  Yeah, I want to say that what regulations are providing us right now, because of a lack of infrastructure, is the responsibility, transfer responsibility to the shoulders of the users, to make sure when they request data that is done, we don't have technical reassurances.  It is pretty much ridiculous.  You can't ask people to be monitoring 24/7 if when they request data to be deleted from a specific service or vendor that it has been done.  It should be transparent and absolutely automatic for them.

>> STEPHANIE LI: Okay.  So, now is the time for the floor.  So anybody, okay, this lady over here.

>> AUDIENCE: I'm from Hong Kong, I come from civil rights sector, and I want to make some remarks on what is personal data.  I don't think personal data is exactly me, as in that sense but it's not of course property or commodity that you can sell or trade, because after you gave out your data it still relates to you and it's still your data.  But it is not like your car, your computer in that sense but it's your emotions or feelings, that something can never be separated.  Trying to figure out what is personal data, we cannot come up with policy or regulation without knowing what we are trying to protect, because GDPR is so far the best thing that we have right now.  But we all see that there are a lot of problems that it is not able to catch up with development of technology, there is clashing with blockchain technology and different things because they can never be removed once put on blockchain or it's hard to remove.  It's technically infeasible.

I think this points to a number of problems about the cultural differences of different places.  For example, in Hong Kong people don't think about what is personal data as people in Europe do.  When we try to come up with a universal implementation of what data protection should look like, that is always going to be a problem, because for an ordinary citizen in Germany and ordinary citizen in Hong Kong they have very different perspective of what privacy and data protection should look like.  Having a universal framework is hard because it's difficult to address each culture's definition of data.

Another thing is how do we make this kind of framework work, because we do have international frameworks, but international law, it's just a framework.  It doesn't work in many cases, if one country refused to ratify that contract that it's done, there is nothing that we can do.  Privacy infringement of privacy has no remedies.  Once your data is lost, it is lost forever.  Paying you with money or compensating with money does not help with the infringement itself.

We still have a very long way to go.  I don't have any solutions at this point.  But I think we should really start relooking into what is personal data as a start.

>> AUDIENCE: My name is John and member of Parliament from Kenya.  I'd like to talk about an interesting question that you raise about the impact of regulation in the global south compared to what is happening in the global north.  I'd like to report that we can speak with authority as Kenya on this matter, because we have just recently passed our Kenya privacy data protection bill.  And for us, GDPR was a good starting point.

But we got some good learnings to understand that there are some global standards that cannot be applied locally, and so we will have to look at regulation knowing that this shall be global standardization, but there shall be a local people driven process nationally that will bring out a process that involves the local people, so that if we take, for example, legislatures or parliaments, they can be the champions and the owners of this processes, so that if it is an international global standard, it can come to the level of the country through Parliament, which has mechanisms of people driven processes, and out of that, we get ownership, and then we get champions, champions to the country.  Ultimately what will happen is that as Parliaments come up with regulation, and oversight, they will also have involved their people to put in their voice, so that the issues that are being raised by Civil Society can find their way into the regulations that have been made for data protection.  Thank you very much.

>> STEPHANIE LI: Okay.  Yes.

>> AUDIENCE: Hi, I'm from mainland China, but mostly based in the Netherlands in the past decades.  I want to supplement on the question to look at what is personal data, in relation to design, because mostly I came from a design background.

I think that when we talk about personal data, I want to make a, like for instance, how Facebook set up five emotional responses to all the kind of, allow the user to express their emotion in a most convenient way, which is actually in my eyes it's like framing what personal data is in a very industrial way.

I would as a designer question that at the very first place, whether that is personal at all, in relation to our personal being.  And taking that, I think I would look at that in two ways, as a user, I would see that as an opportunity to hack the system, because there is kind of industrial framework of what personal data is, is actually quite inefficient in terms of how it actually address who we are as a human being.  But at the same time, of course, we cannot really expect all the users will be able to, would like to instrumentalize that.

The second would be, I think for people who actually are designing how do we actually consider the framework of datas that could also be rethink as well, like do we really think that personal data can only be framed that way, or even or the data, certain kind of data should be perceived or like how do we actually perceive what is validated as a data set.

In that regard, I think that basically I'm trying to supplement another way to think about what is personal data, in that sense, like can we then regulate, when we have different sets of data set, then can we regulate it in a different way if that makes sense.


>> A couple reflections.  Although I fully agree that data and data protection can be and has to be always contextual, so you always have to assess the context of the data, therefore, you have to have in place the regulation which has enough flexibility to allow this reflection and to uphold the protection, which is at an affordable level or appropriate, sorry, not affordable but appropriate level, and that we can discuss what does that mean in practice.  This is what I'm coming to the point that I wanted to make is that right to privacy is a universal human right, which has been declared by United Nations declaration on human rights article 12.

So although it is contextual, all states, UN Member States has a positive obligation to protect this right.  There can be variation, of course, of the protection, the means and measures of protecting, but what is personal data, what is an individual, what is protection.  I think that out of the 40 years, 50 years of reflections that have been going on in academia, in international governmental organization, or in Civil Society, I think that can serve a very good, very good useful tool for interpretation, for interpreting these definitions.  I come now to my second point, which is, and I'm very glad that you raised it, the Kenyan process of adopting the legislation, it is really one of the success story in Africa, I believe.

The Council of Europe ‑‑ yes.


The Council of Europe itself was involved in this process, and we were giving assistance to the Government and also to stakeholders, how to interpret all these things, because we as I mentioned have several programs that can, that a state can turn to us, and help, request us to explain or to guide through a country through the process.  I'm not saying that we have done the whole process together with the Kenyan Government, but at the beginning we participated very intensively.  I myself participated at the public consultation.  It was really interesting to be there and to hear different point of view.

And I think and I really believe that Kenya achieved a very good result in, and also because I know that, and also encompassing 700 amendments that come during the public consultation.  So it is possible.  There are good models, good examples for that.  So keep on working on the good, keep on trying.  And there are also international organizations that can help you with that.

All infrastructure issues, I cannot agree more, and this is also in relation with work in third countries that we have, and I try to explain this briefly, we come across, we recognize that we will not be able to tackle privacy or put in place a privacy legislation that take into account Cybersecurity infrastructure of the country, the Cybersecurity legislation of the country, and the fight against Cybercrime, and how the tools and infrastructures are put in place in the countries.

So those three have to go hand in hand and have to be considered when we speak about protection of individuals in the digital age.  Thank you.


>> AUDIENCE: Thank you.  My name is Alberto, cofounder, chief operations from Hidera and we develop digital solutions for Sustainable Development, and we are specialized in impact monitoring, so precisely what we are coping with is we are a company in Germany collecting data from development regions worldwide to monitor on the performance of development projects.

So I find it interesting that no matter which policy established for data protection, at the end the people related to the data will probably just accept with a click or with a signature the fact that they want to access some certain tool or some certain service.  And at the end, I think there is a rather majority that will right at the current moment of how it is barely understand which is the meaning of data protection.

So, my question here or my curiosity is addressing how could we make sure that it is properly understood, no matter how it is regulated at the end probably the nonexperts that accept the regulation are those willing to give out, give away the data.  So how could it be a feasible way of making this data transfer or this data willingness of people to give data to be used done in a transparent manner, either people at a certain point in the future will understand data protection as a simple element of life, or there will be a way in which data usage or data flow or data transfer or exchange will be somehow overviewed through, I don't know, in a similar manner as we declare taxes is our responsibility to present how we deal with money, is this somehow a comparable projection for data transfer, data exchange in the near future.

>> STEPHANIE LI: Okay, let's take one more question.  Yes.

>> AUDIENCE: Thank you.  This is a quick one.  I know time is tight.  Again from Trinidad and Tobago, I wanted to give the experience we just heard from Kenya and of course compliments to them and also the Council of Europe and the assistance of that.  But from the Trinidad and Tobago perspective many of you may or may not know where Trinidad and Tobago is but if you don't know, I'll tell you it's in the Caribbean, close to Venezuela, sunny, hot warm island, nothing like what we experience right now in Berlin but sun, sand and sea, but besides that we also are in the news because of the recent disclosures about Cambridge Analytica, and anybody who has been reading or listening to the news would know that Cambridge Analytica used Trinidad and Tobago as a guinea pig, as a test model to see how elections can be let's say manipulated in the United States, and also in England, and now you have seen the result of that with certain things happening in the United States.

But it casts a light on what happens or what is happening, Trinidad and Tobago, in respect to data protection.  We do not have adequate data protection laws.  We do have a data protection act, which is 2011, passed in 2011.  But it's not fully proclaimed, which means that there is no data Commissioner so if your rights are offended or breached, you cannot, unless you do it privately, you cannot go to the data protection agency or there is none, or data Commissioner and seek redress, you cannot get some sort of redress from that individual because he's not been appointed.

What's happened most recent as of this week, last week, the Government has decided to dust off the books, and now reengage stakeholders in a consultation process to hopefully have a new data protection act.  We are assuming that is the direction, and also new electronic transactions act.  Why do I say all of this?  Because of the examples, we all look towards what is maybe considered as the gold standard for data protection.  Kenya may be the gold standard, it may be, is it the GDPR, where do we look?  I think it's quite timely given all these things that are happening and the importance of data protection, you heard Facebook, they have been fined, of course GDPR you have heard, so many different things happening in so many different parts of the world, drawing our attention to data protection.

I think it's quite timely for us in the region, Caribbean region to take a good long hard look at data protection.  And even as a region, because individually, we are so small as islands, we are very small, even on the global map you may not be able to see some.  Some islands are populated by maybe 30,000 people or 50,000 people.  It may be an opportunity for us to have a Caribbean data protection regulation, sort of individual islands, I want to mention that as per of the region.  Thank you.


>> STEPHANIE LI: So, yes, Renata.  You want to add anything?

>> RENATA AVILA:  Quickly on the literacy, I am answering quickly because I have to go to next panel, but and so I excuse myself, but I think education has to be, we need to explore efficient ways to put it in curricula of schools very early and also having a specific training for public officers deciding on this.  I think UNESCO can play an interesting role in that, if we do a reform, it's part of the things that you learn, I think it will be effective.  I think that we need to learn a lot from the environmental movement, before, you know, emission, CO2 all these terms were very away from us, and not, and we didn't really, it was hard to understand how it impacted your life.  Well, we tell a different story about data.  We showed the good sides and the dark sides for different type of people, not only the Cambridge Analytica thing and sophisticated democracies, I think we can get that, and also I insist, sorry to insist, I think there are judiciary has to understand, this is the first that needs to understand, because they can analyze these issues from a human rights frame, from a constitutional frame, and that then they are the best place to make sure that the interest of everyone is protected, because the press often takes a angle that is favorable for commerce, the Government will depend really, and you cannot go that deep into the analysis when you are just educating at the very basic level.

>> STEPHANIE LI: Thank you.  So, yes.

>> Sorry, I'm not making a contribution.  I wanted to do something very African, because Kenya came into discussion.  We had a very strong delegation to the IGF, and even in the room here, there are members of Parliament from Kenya, they can stand where they are so that you know that Kenya was a bit serious about this, including the Vice Chair of the committee on ICI, GK, honorable members, and a former soldier who is a champion for a clean Internet globally.  We had a big delegation that was represented at the conference and also at this discussion.  Thank you very much.


>> AUDIENCE: My name is ‑‑ is it on?  Thank you very much.  I'm from the Youth Internet Governance Forum and there is one thing that I wanted to mention before the session closes.  As we are talking about awareness and data literacy, there is one thing to consider.  Everybody is talking about learning, speaking as well as writing in school so we have a ABC.  Why we are not talking about a ABC of data literacy in school to start education at the very beginning of every children in school, and this is something we need to consider, and we need to talk about it at this Forum.  Thank you.


>> STEPHANIE LI: Any questions?  Yes, please.

>> AUDIENCE: Hello.  I'm from Hong Kong.  Regarding the issue of data protection, and the example of Cathay Pacific, leaking privacy of their customers, the responsibility of data protection is not only for companies and Civil Society, however users are also accountable for their own data protection, that as teenagers, I would say that my knowledge to data protection is not enough, and I think the first step is to educate and raise the public awareness of data protection by education, which comes to my question that how can we users protect our data online and off line.

>> STEPHANIE LI: Thank you for your questions.

>> I want to make some comments on some of the questions that have been ‑‑ there was a question, is data protection properly understood, or the measures.  I have a question, do we really need to?  It's very interesting, I come back to the point from before.  We seem to be shifting the responsibility on how we manage all those things to the user.  It's basically on the industry where we are expecting that.  Users should not have to be concerned whether their data is protected or not.  It should be transparent for them, period, as it is for almost anything.  I buy a car, I'm not concerned how it's built, what are the checks and balances.  It's safe for me and safe for other people, period.  I'm giving a service or product that is safe by design.

When it comes to Cambridge Analytica, this is a personal opinion of mine, it was a joke.  There are way more other companies we should be concerned about and for some reason the spotlight is just on them.  But a very small case of what is out there, so let's start thinking about the consequences in global and not specifically Cambridge Analytica.  For those of you who have watched the documentary, the great hack, personally, what struck me the most was the fact that there was an actual categorization for algorithms of weapons grade.  That says a lot about what data actually is.  I insist on my appreciation before data is a model, you can't have something that is a weapon if it's going to be hurting people, it hurts people because it represents people.  Data is a model of things.  When we come about education, I would like to make a bit of punctualization here, education, yes, sure, just not education all the way.  One of the fallacies we are living nowadays, everyone has to be a hacker for some reason.  Everyone needs to know so much about technology and about phishing and malware.  Excuse me, I don't know how water is purified.  I don't care.  I don't get out of my home with a test kit to check every single tap water that I'm drinking.  That is not what I want.

Why are we expecting that from users?  We have to provide them with technology by design and specialist and engineers who are responsible for that are the ones who have to be sitting with policymakers to make sure it comes from the onset.  My parents taught me if you are going to drink water make sure the glass is clean.  That is the education we have to provide when it comes to data protection.  The infrastructure, none of my business, it should be nobody else's business.  There is another element of education that we are missing the point big time, is programmers.  Specifically, in our organization we identify programmers as the next generation of human rights defenders.  We are not having this conversation with them.  They feel extremely disconnected by the harms that they can produce by not properly architecting software.  One of the fears that you have, has anyone seen any human rights syllabus in computer science academia?  Why are we expecting them to have any sympathy towards human rights?  Thank you.

>> STEPHANIE LI: Thank you for your remarks.  As we only have one minute left, we have to summarize this discussion.  From conventional way to working ASEAN and also in Hong Kong, so we cover many countries, so what I can say to a final point is how can we design a framework, we can start by regional consumer protection framework, strategic, industry standardization, there are many things we can do.  We can even use trade agreements to cover crossborder information flows is one of the possibilities.  But since it still takes time for more cooperation and conversation to be made, now we can look at Convention 108 Plus as our model or we can use innovative technology or many other idea to further this discussion.

So and thank you all for coming here, again, and yes, I hope you guys enjoyed it.  Thank you.

(end of session at 1630)