IGF 2019 – Day 3 – Convention Hall I-C – OF #18 Personal Information Protection

The following are the outputs of the real-time captioning taken during the Fourteenth Annual Meeting of the Internet Governance Forum (IGF) in Berlin, Germany, from 25 to 29 November 2019. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the event, but should not be treated as an authoritative record. 



>> MODERATOR: Okay. May we start now. Good morning, everyone. Welcome you to attend this forum hosted by the Cyberspace Administration of China.

We all know that in these days, personal information protection is very hot topic in the digital economy era. Lots of governments have passed laws and carried out their enforcements in this area. A lot of companies have compliance practices as well.

I think this forum will provide a platform to source ideas. Today, we have four speakers, one from the Civil Society, and three from the private sector. There are three big platform companies.

One is a social platform in China. A Chinese eCommerce company. And Microsoft.

Hour first is about the personal information protection.

>> Thank you. I'm Zhang Jiyu from Renmin University of China.

Of course, first of all, there are very many laws regarding the laws of the personal information protection in China, including cybersecurity law and the general rules of standard law, and we have national laws. The personal information protection is in the legislation scheduled too.

China's section of the Chinese Civil Code, they have very significant chapter regarding to the right of privacy and the personal information protection.

The draft was submitted to the national people's Congress standard committee in August of this year, and it was considered in September of this year.

We're looking at the goal of the draft of the personal rights section for civil law and want to exile the personal rights in accordance with the needs of the times.

We see that in our time, we are facing the fast development of cyberspace as integrated mobile networks, blockchains, cloud computing, and AI technologies. We're seeing more and more in the cyberspace and increasingly vast applications of algorithms and integration of cyberspace and the real space. We can see that information technologies are playing a more important part in our lives and may have more impact on people's rights.

So in the personal section, looking carefully to the personal rights in the digital age. For example, we see that with the development of AI, the various years of personal devices and services brings the need to (?)

The other part is this draft wants to provide a measure to comprehensively guarantee the dignity of the individual personality and the life of people in the new era.

Among the highlights of this draft, there are two aspects I want to emphasize today here. One is this draft distinguishes between privacy and personal information. And the other is this draft maintains the openness of personality rights system, including the openness of privacy and personal information. So why to distinguish the two and why to maintain?

First of all, we see the draft really distinguishes the priority and personal information. The privacy in this law refers to the private space and information which persons would not want others to know. Personal information refers to information that can identify a specific natural person and includes a lot of information, of course.

But we see that the personal information in this draft is not yet described as of yet. Also, the using of the personal information that's not necessarily valid privacy, but, on the other hand, the protection of personal information may control the risks in personal privacy and make a better balance of the potential personal rights.

A very important part of the draft says we should describe personal information protection as a right. There are many differing opinions too. In my opinion, one of the key questions here is that is the personal information protection a means to an end or is it an end itself. Because we see it's different than privacy, we can see many kind of uses of the personal information in the new digital era. It may cause many risks. We should ask questions about what are ways to protect personal information. Many believe it's to prevent violations of personal privacy in the digital area and enhance the trust of the public.

We should ask: Is it efficient enough? Effective enough? If not, what are possible measures we can work together to help achieve our goal to better protection the personal privacy as a human rights in the digital era and, of course, how to balance with other values and goals.

There's still a lot to do in this respect. So that's one of the reasons that in this draft, it is not described as a personal information right but rather the protection of personal information.

And the second issue I want to address is the openness of the personal rights system in the draft. 774 of this draft states that personal rights includes right of life, body, house, name, identity, portrait, reputation, honor, privacy, and so on.

In paragraph two, it stipulates that in addition to personality rights, specified in the preceding paragraph, a natural person enjoys other personally interests based on personal freedom and personal dignity. So we can see this is an open definition.

Also, there are, et cetera in the articles about the privacy and personal information. So we can see this also is openness of the definition of the privacy and also the personal information. It maintains the openness of the personality rights system.

So you can see why to maintain the openness. I think there are several reasons. First of all, we want to allow for a degree of flexibility for the concept of personality rights. From the perspective of historical development, the type and specific content of personality rights have gradually enriched with the development of social economy and have been confirmed by law.

We're facing a world with fast development of technologies and the applications. So we can see that in order to reduce the need for new legislations every time the technologies and applications change or evolve, we should look at the accountability of personality rights and protection of personal information.

And I think, in my opinion, there's another goal, that is to set up a goal and ask society to actively protect personality rights in the digital age. That's to send out a signal that is a law and need the active cooperation in the industries in this fast‑developing digital age to find out how we can better provide people's priority and provide people's personal information.

That reminds me of a very typical, very classic paper that was written 20 years ago by a professor. In his famous paper, he writes that there are at least formalities of regulation in real space and cyberspace. This refers to code running out of computers and accessing personal devices.

I think maybe the most famous sentence in his work is that code is law. But I think it's more important that he set up a framework to say that we should, firstly, ask what value we're pursuing in the regulations and, also, if we figure out value, then we should ask how different modalities of regulation work and how they apply to each other and what may be the ultimate idea of the mix of regulations.

So there are examples of law and market and also the social norm that have impacted code. For example, in the recent years, a concept of Federated learning is getting popular in China and in other countries too. This Federated learning is about machine learning algorithms across multiple decentralized devices. This can still find algorithms.

I don't think it can solve all the problems we have facing the personal information protection, but it certainly shows that the law and market can have some impact on the code. That is to say, first of all, we should look at the forces with this technology. First of all, we see that the market has some pressure on the algorithm because, for example, some banks will not willing to share their data with other banks, but they still have the need to train the algorithm to better control the risks from all the data with each other.

So this is the pressure of the market, and, also, there's definitely pressure from the law, for example, GDPR Laos and others. They're asking the industry and the technologists to think about how to better achieve their goal without violating people's privacy and personal information. So we can see this also has several patent applications in China, too, which shows that industry is really paying attention to this kind of algorithm to try to build and protect data and privacy by default.

So we see that there can be a very important cooperation from the legislators, the society, and other industry and scientists. We think that in order to promote personal information protection better, we really need to think about how to promote it through the mix of multiple regulatory modalities and cooperation. This is an important spike of the model based on collaboration, participation, and the common interest which China is developing this year.

Also, really interesting and excising to follow the speakers because they all come from the industry, and we can see how they have the perspective of how to better promote personal information protection.

Thank you.

( Applause )

>> MODERATOR: Thank you, professor. The personality system in China is also very good for other countries to follow this topic.

Let's go to the second speaker. The general leader counsel. Her topic is elements of personal data.

Okay. Please.

>> Hello, everyone. We have two companies. One is a website and another is a social media platform. Simply, it is the product similar as the Facebook, and we have more than 600 million active users. We're the biggest social media platform. We're happy to be here to share with this topic.

Personal data is becoming not only an important part of the enterprise assets, but also an important strategic resources of the countries. Let's move on to the information. What we see in the definition of the data in comparative law, we'll see India and Brazil and in 2018, the personal information protection bill is processing. In General Data Protection Regulation, there are two kind of personal data. One is the information relation to identify a person directly or indirectly, such as the name, ID card, local data, and other kind of personal data. It is relevant because they are subjected to higher‑level protections, such as the genetic, biometric, health data.

We see the focus of the GDPR. The data managers have to inform the person before using, possessing personal information. And there's an obligation to remove. The data manager should delay the personal information according to the requirements of the data subject under such certain circumstances. A notification obligation in the case of leakage, damage, a loss of the personal information. The data managers should promptly report relevant incidents to a competent authority and notify the data subjects.

The second part is legislative framework and the general person posts. Some people compare the personal data to footprints of individuals and the tasks data develops is to build roads according to those footprints. For the road, we can adhere to the attitude of prudence and tolerance, and the user can choose to leave or not to leave the footprints.

So at the same time the road cannot be built without data developers. So we need to protect the interest of the data developers as the builders.

Okay. Legislative framework. There are four levels of legislative framework in China. The first one is laws. The second one is department, the third one is judicial interpretation. The fourth one is the national standard.

Okay. We'll see the personal information protection law has been listed in the legislative program, and the data security management measures also drafted from comments and the provisions on the civil protection are children's personal information and also some other law violation methods for collecting and the using drafting.

Let's move on. Processes and the principles. We can see there are three principles of the premises. The first one is also the most important of the one is safeguard the national security and national sovereignty.

The second is the risk for the privacy of the data subjects.

And the third one, we'll try to use on the basis of legal existing framework.

Basically principle of commercial use of data, we will talk about three principles. The first one is the user consent and transparency. Here, open disclosure is maintained for the subjects. Data security principle includes two principles. One is quality principle, is other the security principle. When there is a mistake in the data, it should be cracked as soon as possible, and you should take necessary measures where integrity is being destroyed.

Basic principle of commercial use data also includes respect the principle of creating commercial interests and values. The role of data, especially the personal data, and the role of the industries, they should be fully respected.

Okay. The third part of my speech is corporate practice. Data has four stages of influence. That means data collection, data processing, data utilization, data transmission, data storage, and data deletion.

In data collection phase, when collecting personal information, the contents of the subject or the personal information is required. And the corporate data compliance experience in data collection phase, you should inform your users whether to fully explain the collection method and purpose. Clearly list correspondence between each function model and the collected information.

Also, inform your users the cookie and other similar technology how to collects.

In data processing utilization stage, you should build a level of protection, technical measures, and anonymization. After the user logs out of the account, the personal information should be deleted in time, and the user cannot be associated with a specific individual and cannot be restored.

In data processing utilization stage, you should clear rules of use and build up the corresponders with the user portrait.

In data flow phase, you should build the security assessment. That means if the child's personal information is transferred to a third party, it should conduct a security assessment by itself or by a third party or agency.

In data storage and deletion phase, you can see domestic storage and the encryption. Encryption means network operators should take measures to store children's personal information to ensure their information security.

In data storage phase, storage clear methods, storage lines and storage standards should be the shortest time to achieve the purpose in expressed time limits, and the retention period required by laws and regulations should be met.

Okay. Let's make the conclusion. We believe we should grasp the common sense, explore the business logic of data utilization and consider the legitimate interests of data developers while protecting the rights of data subjects.

Thank you.

( Applause )

>> MODERATOR: Thank you, Ms. Gu. She has given us useful introduction of different rules and practice of their companies of data protection.

Next, we go to the third speaker. Tanja Boehm, Director of Corporate, External, and Legal Affairs, Microsoft Germany.


>> Thank you very much. Good morning. Thanks for inviting me to speak to you today. It's a great pleasure. Please allow me, as well, to warmly welcome you in Germany. To warmly welcome you in my hometown of Berlin. It's great to see so many international people here in my hometown. Again, it's a pleasure to be here with you.

It's my first panel where I've had my name written in Chinese. I will keep this, if I may.

My speech will be around privacy protection and involving world. Being European, I would like to share a little bit of the history of data protection in Europe and in Germany, in particular, and then I will briefly touch on the GDPR. You also alerted to it already. Finally, I would like to share the approach Microsoft takes toward provision and data protection.

So let me start by sharing thoughts about privacy in Germany or privacy in Europe. I would say based on our historical experience, especially in Germany, the European economy pays special attention to personal information protection. This is true for Germany in particular. The first of these laws came out of one of the 16 federal states, or Länder we say in Germany. In the middle of Germany. That was back in '97. The Data Protection Act followed seven years later.

This shows that already at the end of the 1970s, data protection played an important role in the minds of the civilization and as well of the regulators.

Until the beginning of the early 1990s, data protection laws followed in all 16 Länder in Germany. So we have 16 in Germany at that time.

However, the biggest foundation for data protection in Germany was late in 1983 by the German Federal Constitution Court that ruled as right for information self‑determination. This was the foundation for having data protection as a fundamental right in the German Constitution.

A couple of years later, in the '90s, '95, the European directive with regard to possessing personal data came into force. We all know that the GDPR has been intensively discussed in Europe and other states. It came into force in 2016. It directly applies in all 28 member states in Europe, not only in Germany.

So the GDPR is designed to give individuals more control over their data, over the fact how the data is collected, used, and protected online. The GDPR applies broadly to all organizations of all sizes and types, including large businesses and small businesses, and also public authorities.

The point of the GDPR is to protect the data belonging to EU citizens and residents, but the effort also applies to all organizations that handles it whether in the EU or the world because it's about data belonging to EU citizens and their residents.

The GDPR also introduces penalties, which was the first time, for non‑compliance with up to 20 million euro policies. This could be greater than the 20 million.

What are the key changes to address the GDPR. The GDPR contains many requirements about how organizations collect, store, and use personal data. This means not only how they identify and secure the personal data in their systems but also how they handle new transparency requirements and how they detect and report personal data breaches and how they train privacy personnel and their other employees.

So this slide shows the most important things coming out of the GDPR. For the sake of time, I will not go over all of them, but this slide shows the complexity requirements that we, as a company, and others need to meet.

So what does that mean for Microsoft? Let me share some thoughts about the mission and the importance of privacy protection resulting from that. At Microsoft, our mission is to empower every person and every organization on the planet to achieve more. As you can see here, it's Satya Nadella's signature. He introduced it when he came into the role of the Microsoft CEO.

In all of our activities, we aim to maintain the value of privacy and maintain our customers' ability to control their own data.

We have developed six Microsoft privacy principles. From the foundation of the approach we just described and these principles apply in the way we shape every product and service. So it's control, transparency, security, strong legal protection, and also important, no content‑based targeting. This all benefits to you and the customer that we address.

So what we want is when we do collect data, we will use it to the benefit of our customers and to make their experience even better.

So at Microsoft, we believe that the GDPR is an important step forward for privacy rights in Europe and around the world. In fact, we have always been enthusiastic supporters of the GDPR since it was first proposed back in 2014. This is why Microsoft is the first company worldwide to extend the rights at the heart of the GDPR to all customers, consumer customers, worldwide. And these so‑called data rights includes the right to know what data we collect. It also includes the right to collect the customer for the data, to delete it or to even take it somewhere else.

We have operationalized ‑‑ thank you for your patience ‑‑ through so‑called privacy dashboard which gives our users the tools they need to take to have control over their own data. So only one year after the GDPR went into effect, more than 18 million people from all around the world have used our tool to manage their personal information. While, in fact, the highest level of engagement still comes from the United States but also from other countries around the world.

And for us, this has been a clear, a very clear sign that people all over the world want to be empowered to control their data and to know what happens to their data.

The truth is we ourselves, as Microsoft, have come along the GDPR journey that include valuable learnings. Since its early beginnings, we have been committed to making sure our products and services comply with the GDPR. That's why still today, we have engineers across the country working on GDPR projects. Since its enactment in 2016, we have made significant investments to redesign our tool systems, processes, and to have our customers meet the requirements of the GDPR.

So one can say today GDPR compliance is deeply embedded in Microsoft's technology and culture as well.

Let me close by saying that, from all of this, the history I just chaired, the learnings Microsoft took and how we implement GDPR requirements and data protection approach in our products, we at Microsoft believe that privacy is a fundamental human right, as it was stated in the German Constitution a long while ago.

It's also the foundation of trust. We know people will only use technology when they have trust and technology. This means companies like hours have the responsibility ‑‑ this is how we see it ‑‑ to protect the privacy of the personal data we collect and the data we manage.

So thank you very much for your attention and for letting me share Microsoft's perspective here today. I highly appreciate it. Thank you.

( Applause )

>> MODERATOR: Thank you, Ms. Boehm. You have given us a useful introduction of the privacy protection, you and Germany. Also, Microsoft's learning and journey in this field. I agree with you that in the digital era, no privacy no, trust. No trust no, development.

Also, you raised a very interesting topic. Maybe we can discuss later. Just whether the rights in GDPR should be extended to other countries, as you mentioned, worldwide. We can discuss later. Thank you.

And then we come to the last speaker, the last but not least important. He's the senior director at Meituan‑Dianping, and the topic is about personal data protection in eCommerce platform.

>> Good morning. I'm Song Zhe from Meituan‑Dianping. It's a pleasure to be the guest speaker at this conference.

Let's give a short introduction of our company Meituan‑Dianping to those who are not familiar with us.

Meituan‑Dianping is leading, we're the third eCommerce platform listings in China. We have the cap over 6 billion U.S. dollars. We have maybe 440 million total number of new introduction users, and we have operated in more than 2,800 cities. And in the last 12 months, as of the June, we have 3.7 million rider. You can see we're a large company. If I can give you a short introduction, we're the Chinese version of plus yelp, Uber, and many things covering the daily life of people.

This is a short model. We operate a lot of (?) In China. Maybe you can have this bike sharing in Berlin. We have another platform to connect both the customers and the merchants, mostly restaurants and other merchants as well. I think for this, we should add one more site. We have 3.7 million riders delivering food every day to persons in China. We have lots and lots of businesses.

You can see, for example, one major business of us is for delivery. The other one is hotel booking and, also, we have business to businesses. We have delivered raw materials to the restaurants. For the customers, you can order the food or other things online, and our riders deliver the food and other stuff to your home. Deaf people called Amy. This is maybe in the morning, when you wake up, if you want to have dinner, you can just search for the restaurant just like Yelp. You can make reservation. Maybe you're at work and don't have time to go out. It's simple. You can order food delivery, and riders send the food.

You can make hotel reservations if you want to go on vacation. And at 5:00 p.m., you can ride to your choice. And maybe at 7:00 p.m., you can enjoy the dinner time. You don't need to wait there online. At the end of the day, you can order some food from our platform.

So this is a lot of things that we can cover. Our mission is we help people live better, eat better.

So this is a short introduction. Next, we're share more on the data protection. In general, we put our customers in priority. We believe that the data protection and their privacy are really important to us. So we will definitely follow the principles of the data protection. Controlled by users, transparency, necessity, and technical support. We can give you more examples.

This is our data security management system. We want to protect our customers' data privacy. The data collection, of course, has a very huge platform. In some necessary situations, we need to collect customers' data. For example, if we want to deliver food to a home, we need their location. We need their mobile phone number. So this is data collection that's necessary.

The second one is data access system. In our company, the people have authorization of who can have access to the personal data. It's very strict rules. And for this data processing, after we get into this data, we need to get some processing work. We will have this ‑‑ hopefully my pronunciation is right. We remove the sensitivity so our customers' data privacy is not compromised.

The next one, data sharing. As you can see, there's a lot of parts in our data ecosystem. Sometimes we have to share. We have to share the customers' data with the restaurant so they can prepare the food. And we have to share the information with the riders so they can take the food to their home. When we do that, we'll do the data encryption to protect the privacy and also for is some third‑party suppliers, we'll have the confidentiality agreement with them.

The data audit, this is with suppliers and third parties.

And data deletion, when our customers are no longer with us, they can delete their information according to the applicable rules.

The next one, hopefully my speech will not be that boring. This is in Chinese. I will translate for you.

Our platform is used to provide these kind of privacy numbers. You know, for example, you know, when this food delivery ‑‑ when the riders send the food to the customers, you know, they call the customers. The mobile phone will not be shown the real telephone number of the customers but a randomly created privacy number so they will not be sent. The address is hidden to protect privacy.

If you call a car, for the drivers, they need to call each other. We also provide this kind of artificial privacy numbers.

The hotel booking, under this scenario, before the hotel accepts the customer's order, the manager cannot see the customer's name and real telephone number. Only after the order is accepted, this hotel can also see that privacy number. After the end of order, the hotel manager will have no access to that number any longer.

And we believe that the people's privacy and data become more and more important. So we, as one of the big ecosystems and businesses in China, we will always respect the customer's privacy and data protection. On our end, we follow the best practices of the world and also this development of the policy.

As you know, as a technology company, we believe technology is important. We'll try our best to make innovations in this field and try to find other ways in technical methods to protect the customers' privacy.

Last but not least, we have an ecosystem, a lot of parts involved. For example, the customers, merchants, providers, and so on. So we're hoping all of these parts of our ecosystem can provide us guidance and supervision. Together, with all parties, we believe we can build a better society in the world without compromising their data privacy. We can achieve our mission of helping people to eat better and live better.

( Applause )

>> MODERATOR: Thank you, Mr. Zhe. We have eight minutes for comments and discussions. If you have any comments, questions, please, hands up and tell me.

Yes. You can give a brief introduction of yourself and a very short question. Thank you.

>> AUDIENCE MEMBER: Hello. I'm a student from Hong Kong. Nowadays, we always have to see our personal data online. Also, when our information is used, we don't notice this. We press a button to gain access and continue to do what we want. As we want to do things promptly, we may risk leaking our data. How can we promote public awareness to provide more people protecting personal data?

Thank you.

>> MODERATOR: So who are you going to ask?


>> MODERATOR: Anyone. So any speakers to reply to this question?

>> It's a very good question. I think in Chinese, traditionally, the personal information was not important, but with the development of our society, we know that it's becoming more and more important. So how to improve the public awareness, I think, first, you know, we have a lot of parties. From the regulator's side, they need to do public campaigns to let people know this.

From the private sector, of course, you know, I think at least the most large platforms and companies in China, we have noticed an importance of this one. So we have actually taken matters to educate please to take measures to protect the personal information of our customers, and we do stuff to improve this aspect. I think this is from the private sector and public sector.

For other things, maybe the other guest speakers can contribute more. Thank you.

>> MODERATOR: Okay. So maybe we can go to the next question.

>> AUDIENCE MEMBER: Thank you. Let me introduce myself. I'm also from China. I just want to ask some questions about the GDPR. May I ask Tanja Boehm. I just want to know the GDPR is also about data legislation in China is recently concern. Can you give me some advice about GDPR in Chinese Internet companies and give me some suggestion about how the best practice? Thanks.

>> Thank you very much. That's great question, though. Truly you can understand I speak for Microsoft. As I stated before, we apply the GDPR to commercial customers worldwide, yeah. I can't speak for any other companies here who do business in China, I would say, but I would probably also build on the question before. I think it all starts with the education of the users, to enable the user to know what happens to the data, to know what happens if you click a button, you know. So I think no matter whether it's in China or Europe, yeah, it's key to create transparency by the companies that are processing data, yeah, but probably also from the regulator. This is what happened in Europe with the GDPR, yeah. The European regulator did not want to rely on companies, basically ‑‑ U.S. American companies doing business in Europe.

Again, I think it's the enablement of the users, the transparency that has to be created by the business, yeah, and the right regulatory framework. If the GDPR is the right framework for China, I'm not the one to tell.

>> MODERATOR: Thanks. I totally agree with you.

Okay. Maybe come to that question I have just mentioned after Ms. Tanja made her speech. Whether we should extend rights of GDPR to other countries, maybe it is a very question for other countries' legislation. What is your opinion in this field?

>> Thank you. I think if we're talking about the principles, the broad concept of the regulation, I think, yes, GDPR has certainly shown to the world that we should pay attention to the people's privacy and to people's right in this digitalized world.

I think, as I just mentioned, there are many questions and many things with the researchers. We're still studying what is the pathway to protect people's privacy and to protect people's basic rights in this digitalized world.

Of course, as GDPR has shown a very good model, but its best mechanism is still not quite sure. I think, of course, maybe even if GDPR is best for Europe, it might not necessarily be the best kind of regulation in other countries because the laws should be considered in the whole legal system and in consideration of the enforcement development. So I think maybe they need a lot of study, but I certainly agree that the general principles to enhance transparency, to empower user a very good and important principles that our governments, regulators, and the companies should pay attention to. We should still cooperate with each other inside each country to figure out what is the best legal in that country. That is my personal opinion.

>> I totally agree. There's not one size fits all. GDPR, as a regulation, regulations always have a lot to do with the history of the country or the region that regulates and the culture. It's not one size fits all. As I stated before, this is the key issue of our days, handling data, but if the GDPR should be, you know, transmitted or transformed into various other countries, I'm not the one to tell. It depends on the region, I would say.

>> MODERATOR: Okay. So as we know now, the GDPR has evaluation by EU and also may be evaluation for other countries' legislators.

I think maybe we have to come to an end to our discussion and forum. Thank you very much for attending. Thank you.

( Applause )