IGF 2019 – Day 3 – Raum II – WS #83 Different Parties' Role in PI Protection: AP's Practices

The following are the outputs of the real-time captioning taken during the Fourteenth Annual Meeting of the Internet Governance Forum (IGF) in Berlin, Germany, from 25 to 29 November 2019. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the event, but should not be treated as an authoritative record. 



>> MODERATOR:  Hello?  Okay.  We will begin our workshop. Okay. All right.  Thank you.

All right.  So, good morning.  Thank you for attending our workshop this morning and my name is Li Yuxiao, the Secretary General of the Association of China.  This morning I'm hosting and happy to welcome you to participate in our workshop.  Under this workshop today is about the different parties' roles in the personal information protection.  Sometimes in the way of Asia‑Pacific region, and since we are all concerned about this issue.  Okay.  Thank you.

We're honored to create this panel.  I think there are two parts.  Firstly, effectively harmonizing ‑‑ so firstly, we created this panel to effectively publicize there is a method and practice of pertinent information protection in the Asia‑Pacific region.  And, secondly, enhanced participants many understanding the rule that different subjects can play for pertinent information protection.

Right now, let me introduce about our fantastic guests here.  They are Professor Wolfgang  ‑‑

>> WOLFGANG KLEINWCHTER:  Wolfgang is enough.

>> MODERATOR:  That is enough.  We know him very well.  He's very famous in this area and I think that is very important to hear about his idea in this area.

And also, I want to introduce the CEO of APNIC Foundation, Duncan Macintosh.  Thank you all for coming.

Mr. Henry Gao, Associate Professor of Law Singapore Management University.

And Dr. Hong, Yanqing, Senior professor the at law and Peking University.  You're welcome.

Another speaker is Ajay Data, the Founder and CEO of Data XGen Technologies who is now joining us remotely.

And another one is Professor Jovan Kurbalija, Director of DiploFoundation and Secretary of the UN High‑Level Panel of Digital Cooperation.  I think later he will join us.

So, I think that since we're talking about the privacy information protection, this is very serious problem for us.  When there is a lot of new technologies and new policies and in all the world and we must think about what's the basic principle for protecting the personal information.

And first, I want to share some ideas with you and introduce about our association's activities in the past few times.

Right now, I'm the Secretary General of the Cybersecurity Association of China and we call it CACIC.  It's an association organization in the field of the cybersecurity which is founded in 1916, and so far, we have 280 members and 300 individual members, including Chinese leading IT in the process and cybersecurity in the process, and University it's, research institute.

The protection of personal information, I think that has always been an important issue of concern to our association and our members have been actively promoting the protection of personal information of China.  This effort not only do we want government department and the legislative branches, but also to the general public.

In 2019, China launched the special actions against mobile APP which collect and use your personal information in relation of laws and regulation, and I think Dr. Hong will introduce it later.

And our, yeah, our association has deeply enrolled in these APP actions and we have achieved very good results.  Since the establishment, our association has always been carrying out activities called cybersecurity tour in China which arms to reach the public awareness of information, protection in various province throughout China.

Since we talk about the personal information, I think that it's a really complex issue, especially engaging emerging technologies, such as AI, 5G, IoT, and big data has continuously promoted various information services and to connect all users into consumers who has highly in services.

In the past time, services providers have formulations of data technology and Internet rules, but governance ‑‑ and especially monitoring and the responsibility determination magnetism.

The public policymakers and the regulators have implement personal protection information and their ability to charge the possible risk that information service poses to the personal information protection.

As they pursue from the public, they are still note convention in the international community.  In the absence of magnetism for the international ‑‑ the institutional difference between countries, how it becomes a spot for the cosponsored data flow and mostly services and personal data flows globally, however, separation and laws has national boundaries.

What we are facing is a structure issues, in fact, which not only require time but also the participation of all parties.  Moreover, Civil Society should take more roles, so in this regard, I would like to make some following suggestions.  I think that it is just very frustrating in a sense of the global personal information protection rules.  Each party for the clearly defined responsibility in the protection process, where countries with formulating corresponding laws to protect the rate and interest of users.  In the EU, the GDPR is a technical case but only protected the right of EU citizens and good efforts for EU benefit, but also for the Asia‑Pacific user cannot be fully protected under one world one night, all the Internet users have some of the same right, and does it include the right to protect personal information?  There are no responsibility and alike for protections because of regional differences, and mostly the necessary communication channels need to be established between the government interfaces and the community to resolve this problem.  I think it is a first.

And secondly, compare with EU, U.S., and other regions where personal information protection has been practiced earlier.  Asia‑Pacific can do much more in terms of the personal information protection in the future.  We created this workshop to discuss this topic in detail, and we also hope to promote the improvement of the personal information protection in Asia‑Pacific regions, facing the 4.2 billion people and 2.27 billion Internet users in Asia, we realize there is a huge difference and difficulties.

Cybersociety, I think, actually organized and publicized the best practice cases and experienced of personal information protection, though we can jointly improve the label of personal information protection and work for creating a regional or even global applicable rules on personal information protection.  Cybersociety in various countries should have communication and mutual recognition for where it can be established between countries, perhaps Asia‑Pacific can protect the personal information of Asia‑Pacific regions and wide extensive Internet fragmentations.

Europe has always been at the forefront in this field and other areas also, and I think that is worth more research and study for the Asia countries.

The last, the thirdly, maybe there is something more not released.  The legal protection of personal information should become the basic right of every citizen, and the protection of peoples' information to consumer should become the basic responsibility of service providers.

Civil Society should serve as an important platform, and on the one hand we should increase the input to facilitate the standards for personal information protection in the industry and to restructure to the collection, use, and transmission of personal information through industry self‑regulation.

On the other hand, cybersociety can encourage members to develop personal information protection tools and provide services to protect personal information usefully.  For example, our members include many leading cybersecurity companies as guardians of the Internet, they have natural advantages and in responding to the traditional cybersecurity problems they can treat personal information protection as a very permitting market.

So, at the personal information protection, I suggest that it change in the Asia‑Pacific regions, it should be richer and more effective, and changes between Civil Society and communities in various countries should be more active and involved.

Meanwhile, we also welcome companies, research institutions, and experts from all over the country to continue dialogue with us and provide available possible policy suggestions and comments in the international communities.  We also hope local comments will fully consider the claim of our members company and Internet users and give them the necessary protection, so this I want to share to you all, and thank you.

Later, I want to introduce Mr. Duncan Macintosh to give us a few words.  Thank you very much.


>> DUNCAN MACINTOSH:  Good morning, everybody.  Let me begin by thanking the Cybersecurity Association of China and congratulating Li Yuxiao for putting this workshop together and I'm pleased to be here for APNIC those of you looking for Paul Wilson, the Director General, he had to stay in Australia because of the bush fire situation there around his home.  I'm here as the CEO of the APNIC Foundation closely related to it and we work closely together and I'm pleased to join this panel.

I'm going to give you a specific example of the challenge of managing personal information, but before I do that, I'll step back and introduce APNIC.  For those of you in the audience who don't know feature APNIC, it's the Asia‑pacific Network Information Centre.  It's one of five regional Internet registries around the world responsible for managing and distributing IP addresses, Internet Protocol addresses.  The fundamental number of points of connectivity in your device.  If you go to Settings, everyone in this room, take your phone and go to Settings, you'll find the IP address that your provider has provided dynamically on a daily basis when you log on, and that address provides the point of connectivity for your device on a daily basis, and that address is provided by one of the five regional Internet registries.  Here in Europe it's Ripe based in Amsterdam.  We're APNIC for Asia‑Pacific and there is one in Latin America, et cetera for the regions.

The model of the operation for the Internet number registries is a non‑profit membership organization, so APNIC is an organization, it's actually a Secretariat serving a membership, and the way that it works is as a mobile phone operator or an Internet service provider or a data center, requires Internet IP addresses or AS numbers, the address resources needed for connectivity in the networks, they will come to us, to APNIC, and request a supply of number resources.  We provide those, and in that process, that network provider becomes.

In the Asia‑Pacific region, we have around 16,000 network operators as members, and these are divided into direct members, direct members to APNIC or indirect members, as in the case of China, where there is a national numbers registry, CNIC that provides the number resource services to all the network operators in China.  And there are several other national registries around the region.

We're not a large organization.  We're about 80 staff managing this particularly fundamental piece of the Internet infrastructure at the very foundation, if you like.  But the management of the addresses is, of course, a fairly large exercise because there are billions, literally, of addresses.  For those of you who follow the registries, you'll know that in Europe this week they actually ran out of IP V4 addresses in quite a big announcement, but that's another conversation I can have with people separately.

The responsibility of managing the addresses is really the key aspect of APNIC's operations, and when we distribute or allocate or provide address resources to a network operator in each economy and in our region we have 56 economies, so they include obviously China and India, very large economies with some of the ‑‑ well not some of, but the largest mobile phone operators in the world in the case of China, and down to the smallest ISPs in the Pacific Islands for example then Vanuatu where the ISP is servicing 8,000 people.  In each of the 56 economies from Afghanistan to the Pacific, we have this responsibility to provide these addresses, but then to always be able to identify who is managing those addresses, and this is the key bit about personal information because what happens is, if I'm a network operator in, for example, in Indonesia and I may have an issue or a concern with another network, because obviously everybody's network is very closely integrated and connected.  That's how the Internet is, it's a network of networks, so it's very important that each network as it connects with another network has a point of contact in that other network.  So, if there is a cybersecurity incident or any other issue or appearing request, one network is able to contact another network, and this is where we get into personal information.

So, it's our responsibility at APNIC as the Regional Internet Registry to run a database that provides this information, and we call this database the Who Is, and the Who Is a publicly searchable database details addresses within the Asia‑Pacific region.  Anyone can go in and search for Who Is the results are for operational purposes, we control it. It can't be used around commercial purposes or anything like that, but it's very important that it's the authority place that you can go to find the contact, the technical contact for a network that's operating in your economy or your region or anywhere around that.

And so, as we allocate resources to those 16,000 different networks, we work very hard with each of the members to make sure that personal information is up to date and is available.  And as I say, it's a publicly accessible and searchable database, so when GDPR came along a few years ago, even though we do not operate within the European Union jurisdiction, it was very important for us to be able to look at the publicly available information on each individual who is the corporate contact and make sure that we fulfill the requirements of GDPR and we were aware of it.

And I think that's really the key message that we have, that in the process of ensuring the privacy of individuals and their information on the Internet, you have an example here of its fundamentally important that that information is available for other people.  If it's not available and I can't contact another network, that's a major technical challenge, so we've got to be able to provide the safeguards that the Chair talked about in his opening remarks around personal information, but at the same time, not restrict the efficient and secure operation of the Internet by blocking contact between network operators.

That's frankly, that is a big challenge because it's not just GDPR, of course.  As we move forward and each economy in the Asia‑Pacific region now is developing their own privacy legislation, and each jurisdiction, all 56 over the next few years, we can see moving towards their own national priorities in terms of privacy protection for the individual and privacy regulation.

The case that we bring to each of these economies and each of these discussions and why I think this forum is particularly useful today is that there must be recognition that there are communities where access to information on an individual is very important for its operation, and the challenge is how do we enjoy the effective implementation of good legislation to protect a person’s privacy, but at the same time allow for the efficient operation of something as fundamental as the Internet itself because we do require in Who Is this need for one network operator to contact another network operator.

And as I say, you lay over the GDPR and then the national legislations and it can become increasingly complex, and we frankly, don't have an answer.  But we do find it very important that we have a voice, that the technical community that we represent, the network operators, can come to forums like this and have this discussion and say that, yes, we understand your priorities in terms of managing personal information and the need to protect it, but we also want you to understand the needs of the technical community in how it wants to operate the Internet.

So, I'll stop there.  I look forward to the other discussions and presentations and any questions afterwards.  Thank you very much.


>> MODERATOR:  Thank you.  You shared with us a lot of information and so I think that is very important to make it effective to protect personal information.  And now I would like to ‑‑ (Speaking off mic)  Wolfgang?

>> WOLFGANG KLEINWCHTER:  Yes.  Thank you very much and thank you also for the invitation and I think the Cybersecurity Association in China is a big player in the global scale.  However, the understanding of cybersecurity has changed over the years.  20 years ago, cybersecurity was seen mainly as a technical issue, you know how to make the devices and the networks secure.  And then the understanding of cybersecurity has changed over the years, you know, with the spread of the Internet and as it was mentioned in the opening speech, now more than 4 billion people are using the Internet and 800 million people in China, and this raises another category of cybersecurity issues.

You know, my understanding is that you have three big areas for where cybersecurity plays a role.  The first one is now a question of national security, so and you know for whatever reason, the sad reality is now that we see the militarization of Cyberspace, the Internet and Cyberspace is a question also of war and peace, and so there is no definition of what a cyberwar is, no definition of what cyberweapons are, but we have seen in the last years, year by year, more and more that there are cyberattacks that undermine the national security of countries, and this is a big issue.

And there are some inter‑governmental negotiations meanwhile in the United Nations and the first committee, there are two in the governmental working groups, one is the so‑called augmented working group and another one is the so‑called Group of Governmental Experts where governments try to find solutions to define norms for behavior of states in Cyberspace and also confidence‑building measures and capacity‑building measures because, you know, diplomats and others very often have good skills to negotiate treaties, but they do not know the issue and that's a big problem that to negotiate and to understand, you know, what are the technical dimensions of the issues to negotiate and you have a problem.  That's why capacity building is an issue.

And you have also a number of activities on the regional level.  For instance, the ASEAN countries, the Ministers for Communication have adopted norms and confidence‑building measures of thousand enhance international security in the region, and you have a number of private sector and multi‑stakeholder activities.  Microsoft was very active in the last couple of years and they have produced a document called the Tech Accord which defines some norms for the behavior also of non‑state actors.

The Siemens Corporation in Germany has created a platform called the Charter of Trust which gives you some guidelines, you know feature how to make cyberspace a more secure space.

I, myself, I was a member of global commission of stability in cyberspace and just 10 days ago at the Paris Peace Forum, we presented our final report where we have proposed eight norms for state and non‑state actors because, you know, the conclusion of this Commission which was chaired by former politician Steve Mosti, Foreign Minister of Estonia, Madam Kaljurand,  Former Secretary of the Homeland Security from United States, Michael Chertoff, National Security Advisor for India, Latha Reddy, and the former politicians said that feature, you know you have to go beyond context and we have to include non‑state actors and beyond the 13 and at 11 principles which were already adopted by the Group of Governmental Experts in the year 2015, and we have to be more specific if it comes to, for instance, the public core of the Internet, and but we have seen unfortunately, APNIC knows, certainly, a lot of these cases, so that there are a text against the core elements of the Internet, against Domain Name System, IP address system, against routing route servers and there is a danger, I see it as a risky development because the world is dependent now from the Internet and if it doesn't function, if you hijack a domain and send emails in different directions or you want to go to a website and it's not reachable anymore because, you know, somebody has confused or blocked service, so this is very dangerous and there should be an international arrangement to protect the public core of the Internet and this is the main message from our report.

There is a second issue with cybersecurity and this is more of criminal behavior.  So, I think cybercrime is not new.  We have ‑‑ it was called in the 1990s, computer crime, but then after September 11, you know, the Council of Europe together with the United States said okay, we need an international treaty on this and so the Budapest Convention on cybercrime emerged and the Budapest Convention defined a number of cases, you know, what can be seen as cybercrime.  You know, if you manipulate networks or computers or so‑called hacking, you know, this is seen meanwhile as a crime.

The problem with the Budapest Convention was that it was negotiated under a certain pressure to do something after September 11 in the year 2001 and some big countries were not involved in the drafting, like Brazil, India, and also China.

And in so far, you know, the appear site of these countries to sign and ratify the Convention was rather low because they said we have not been part of the drafting and probably we would have for some articles a different idea.  Russia doesn't like Article 32 and there are some other things, and in so far, the Budapest Convention has also only a limited reach.  It's a document, Japan, Australia, New Zealand are partners of it, but some big countries like China, Russia, India, and Brazil are not members, so just recently Ghana has signed but only around 70 member states so not the 193 member states of the United Nations.  This is under discussion in the third Committee of the General Assembly for a couple of years, and just recently last week, the Third Committee decided to start another inter‑governmental working group to consider or to investigate whether it would be good to have a universal instrument which would, you know, become inspired from the Budapest Convention but would probably go beyond this by including, you know, all the 193 Member States so this is the basket of crime.

And then we come to the third basket, and this is mainly the subject of free speech and this is to personal security as it comes to data protection.  Information, by the way it was this country, Germany, which introduced the first data protection law already in the year 1970, and that means nearly 50 years ago and this came also, you know, with the distribution of computers that people, you know, became nervous of what happens with my personal data if they are in a computer.  And, you know, we had a big public campaign in the 1970s in Germany which resulted in the introduction into a new article in the basic law of Germany, in the constitution, which has established the right of informational safe determination.  That means that this is really a fundamental right and it says, you know, it's the individual who is owner of the right and not the government, not the corporation it's, and so it's the duty of the government to protect this personal information.

You know, in 1970 there was no Internet and so then over the years it became clear that this is really fundamental issue, and the ‑‑ in Europe as you have also mentioned, was always on the forefront.  It was not only Germany, but a number of other countries also jumped into the boat and with the GDPR, we have reached now a rather high level of the protection of personal data against misuse both by corporations and by the governments, so that means it's the protection of the individual.  I think this is the key message.  And it was not the intention, but it's very interesting to see that the GDPR, which is a rather complex mechanism, you know, of a lot of different rules and specifications, has now rocked the boat far beyond Europe, so that's also our colleague from the APNIC said, you know, in Australia, in the U.S., in Latin America, you know, the GDPR is seen now as an important instrument.  They are checking, you know, which rules are relevant for them, and this has made also clear that we need not only regional instruments, because it's like for the GDPR, it's just for the 28 Member States of the European Union, but we need a global instrument and there is discussion which has started also in the CERT Committee of the General Assembly of the United Nations and particularly the Human Rights Council of the United Nations and there was a special report reported after it's Snowden affair a German Brazilian initiative to establish a special report for the protection of personal data, for the protection of privacy in the digital age.  This is Professor Katanaci who is very active and writes reports and analyzing situations in various countries, and he has a number of proposals of how to draft a global instrument for data protection and against mass surveillance.

So, but the appear site of governments in the Human Rights Council to draft a new international treaty is at the moment not so high because there are a number of, I would say, delicate issues which are also related to content where it's difficult to reach international agreement, you know, as the speaker has said this morning.  You know, if it comes to content, different countries have different ideas of what is good and what is bad content, what is illegal content, what is harmful content.  Harmful is not illegal, it's bad content.  How to deal with bad content.  Should it be blocked, should it be allowed?  And so far, that's slippery territory and that's difficult to find a global consensus, and probably we have to learn also to understand opinions a little bit better.

On the one hand, you know, there is One World One Internet and if you want to avoid fragmentation of the Internet, you have to have also a higher level of understanding and tolerance, so that's a complicated issue, and in so far it needs more study, more research, more dialogue, more better understanding, and I hope that this workshop can contribute to this ongoing dialogue.

What I have heard is that the Cybersecurity Association of China is planning another world forum next year, so I think to have more forum like the IGF is a good idea and I personally, you know, I would ‑‑ I was pushing that the Germany becomes the host for an IGF for a couple of years, and I'm very happy that we have the IGF now here in Berlin and I would be Alts happy to have the IGF, sooner or later, in China.  So, we were in Africa, we were in Indonesia, we were in Latin America, we had meetings in Greece, Lithuania, in Azerbaijan and China would be a good host for IGF and then we can discuss issues of cybersecurity and data protection in another exciting environment.  Thank you very much.


>> MODERATOR:  Thank you, professor, and thank you and I hope so.  I hope so.

Now, I want to invite Professor Gao to give us.

>> HENRY GAO:  Thank you, Chair.  So, today I will focus, yes, I will focus on the different approaches on personal information protection by different countries.  Before we discuss the personal information protection, I think we need to understand, first of all, what are the main interests which are at stake.  I will say that there are three main stakeholders.

The first one is business, which focuses on the profit.  So, for business, they would want the information to flow freely so that they can make the most money and they can reach more consumers and so on.

So, here that is why you see that a lot of businesses, actually big digital firms from the U.S., they will want to have a free flow of information, they will want to have their own say in the collection, storage, process, and transfer of personal data.

Second, you have the consumer or the users and for the users the most important thing is the privacy, and they are most concerned with the protection of personal data, avoid possible leakage and so on.

And then last but certainly not least, you have the government.  Here the government has the power, and this power can be used for good purposes like protecting personal information, and it could also be used to control the personal data from the consumers.

So, in parallel with three different dynamics, profit, policy, and power, we also have three different jurisdictions, the U.S., EU, and China with each focusing actually on one of them.

For the U.S., the key is the commercial profit of the business firms.  That is why the U.S. has made it a crusade to champion the cause of a free flow of information at the international level where you see in all of these free trade agreements, the U.S. has signed recently such as TPP, USMC, the U.S. has been very aggressive in assessing that it should include provisions given to free flow of information across borders and also provision of data organization requirements and source code.

Now, when it comes to privacy, the U.S. does not have a comprehensive privacy protection framework, and instead it only has a patchwork of laws and regulations.  For example, in the Radio regulation sector, if video, X‑rated video, you don't want other people to know you rented such video, so the U.S. has a law that says the video place like Blockbuster cannot release this information of third party without the consent of consumers.

Similarly in the U.S. everyone has a credit card so when you apply for the credit card, they want your credit score and that is also regarded as very sensitive information and that is why in the U.S. there is another law which says the firms which provide such credit scores cannot release such information, again, without the consent.

So, for the U.S., the key is really the sector‑specific protections.  So, in other words, it is read as consumer right, you only have your personal information protected for the sector if you consume in the sector.  If you never rent a video or apply for a credit card, then unfortunately you do not have the right in the two sectors.

In the U.S., the agency in charge of privacy protection is the Federal Trade Commission which is supposed to enforce all of these laws, and then but the U.S. also heavily relies on self‑enforcement by the firms, rather than aggressive enforcement at the federal level.

The EU has a really different approach.  For the EU, privacy has become the key in the digital age.  We see introduction of laws such as the GDPR and that is really as the previous speakers mentioned, that is really taken over the whole world.  It's like every country is now considering something similar to the GDPR.

So, the GDPR is different from the U.S. approach because the GDPR has elevated privacy as a consumer right to a human right, a fundamental human right, and that is really groundbreaking because if you regulate that as consumer right, and as I mention earlier, if you are not a consumer in the sector, you do not enjoy such a right.  But if you are a human being, you always enjoy such a right and so that is very different approach.  So, the EU doing this basically gives every EU citizen and resident the fundamental right.

Article 35 of the GDPR requires the countries where the information is to be transferred to, have to get recognition as providing adequate levels of a personal information protection, and so far the EU, until February of last year, there was some internal fight within the EU Commission because in the EU, you have two different DGs, divisions, the Director Generals, dealing with trade agreements and privacy protection issues.  Trade agreements are negotiated by GD of parade and GDPR is regulated by DG of Justice, so DG of Justice does not want EU to sign all of these free trade agreements without adequate protection of the privacy.

So they were only able to reach a compromise in February of 2018 where the they adopted this horizontal language in all future EU agreement, which basically says first of all, we recognize that there should be free flow of information across border, and so on, but at the same time, we also recognize that the EU's right to regulate on privacy and personal information protection since GDPR, that is non‑negotiable.

If you want to sign free trade agreement with us, you have to accept the GDPR and also most importantly, the EU's right to regulate this is not subject to state arbitration, so that means if you are for and from, and if you come to EU and now the GDPR is introduced, you might be seeing that well this is in violation of the investment agreement and, no, you cannot do that because that is exempted from investors arbitration and making sure that the EU's right to regulate is absolute.

Now, last but certainly not least, China.  For China, the key is cybersovereignty or cybersecurity and there is a strong emphasis on security because the presidency has famously said that there is no national security without cybersecurity.  So, as we know, China has a different system whereby there is no absolute free flow of information.  Instead, some information is filtered and China also introduced regulations which requires the local storage of data and also transfer of source code.

Now, when it comes to privacy, China did not really introduce any law on privacy until 2009 when in the new law China started to introduce the right of privacy.  Actually, ironically, women's privacy was protected ahead of men's privacy in China because in the 2005 law on Women's Right Protection, women's privacy was explicitly mentioned as a right, but for everyone else, that is the gentlemen in the room, they only had their privacy right protected four years later.

And if you look at the cybersecurity law of 2017, there have been some arguments as to whether or not the privacy right is so absolute that you can only transfer the personal information with the consent of the subject that is the person, the underlying person.

But I doubt that this is the case because if you look at the laws, you can see that there were other provisions in the same law where actually they are extensive exemptions for the government.  For example, Article 42 of the same law says that the operators can collect and use the personal information subject to, first of all, the mutual agreement with the user, that is agreement by the user, and second provisions in the law.

And so, if you look at other laws in China, for example, if you look at the national security law.  The national security laws require explicitly and both Article 11 and Article 77 for all Chinese nationals and organizations to help protect the national security.  So, if the government says we want to collect this personal information for national security purposes, of course that would be allowed, even if the user does not give the consent.

Another thing is that Article 42 only says that you cannot transfer personal information to any other person without consent of the subject.  It does not say that you cannot transfer any personal information to any other organization or government without personal consent, so the government ‑‑ if the government wants to collect the personal information, it does not need to get the consent of the subject.

So, this would basically conclude my presentation, but I find the contracts between three different approaches is very interesting.  I'm not saying that there is absolutely a best approach, but instead, as you can see that the three different approaches reflect the different traditions, different culture, different legal systems of different countries.  But, of course, they would have different consequences.

The U.S., because of all of these freedom accorded to the business firms, led to the prosperity of the sector.  In China, because of the strong emphasis on security and therefore the government has a major role to play, and while in the EU because of the strong emphasis on the privacy of the users, you could argue that is one of the reasons why they do not have many digital firm, especially the big ones because the GDPR strictly ‑‑ make it very hard for small firm, especially small and medium‑size firms to operate.

So, I think before we start to think which approaches to take, we have to first of all understand the rationale of the different approaches and the possible implications from each different approach.  Thank you.


>> MODERATOR:  Thank you, Professor, and I think your topic is very interesting and I hope that you can have time to summarize about the years China law making for the privacy protection and data securities.  I think that only from the national security but also from the consumer and personal information protection, that we take a lot of actions, not really for the legislation but also for the regulation.  You know, so, not only from the GDPR and for the U.S. because there is a lot of use for sectors, but also there is some limitations also.

So, we must do things that different kind of take different role or framework to make this personal information protection more effective.  Thank you.

Now, I'm I want to invite our Remote Speaker, Mr. Ajay Data to give us a speech.  He's the Founder and CEO of Data XGen and Mr. Ajay?  Are you here?

>> AJAY DATA:  I hope you guys can hear me.

>> MODERATOR:  I turn it to you; you can make your speech.  Okay.

>> AJAY DATA:  Hello?  Can you hear me?

>> MODERATOR:  Yes.  We can hear you.

>> AJAY DATA:  So, I can't hear you.  I'm Ajay Data sitting right here now in India and I want to tell you that in India, the Supreme Court which is the top court of India, has decided privacy is a fundamental right of every citizen of India.  That's a big deal because that creates a lot of legal framework, lots of liability on the company, lots of issues which were not there before 2017.  This law came in 2017.

Actually, I have on a chat box, I have shared the link to everyone so that it can be shared and read in India about what's happening.  Right now, there is very big issue going on in our parliament, which is the top place to discuss the constitution, the policies of the country, and there is an issue which is being discussed right now about the spying to WhatsApp on private data.  If you heard the news a few days app, WhatsApp tool, a company sold a slice and got embedded into the WhatsApp and got into high profiles of people in the country to take over the data.

What I want to convey here is that the kind of world we are living in right now, you do not know what data is going out of your hands, who is the data, in spite of all the law and framework and everything in place, how do you really deal with the in a remote country that given you have not heard of, how do you remedy the effect.  How do you even know that you understand, how do you know that in a situation where your data is no more private, and your data is no more private, phone number is no more private, everything is gone, and how do you really protect that information which is this right now?

Meaning thereby, this is requiring a lot more deeper discussion at every level.  To speak a little bit about the platform which we use to protect the privacy of the users, protect the privacy of the people in the email platform.  We're probably the only company in the world who exchanges and implements the permission framework whenever the information is being exchanged and within the email also, so the data is protected by the framework and whatever is extended is ‑‑ to the information and not just like that anybody can access and attain and even though the minister can access and attain, it doesn't happen that way.  Once it is given, data is ‑‑ even via the permission framework only.

This is ‑‑ we are today I'm able to talk to all of you from India, but the technology is allowing to do that and exchange the data and share.  The law between this country and the other countries and you may be sending information knowingly or unknowingly and your data is heavily public and everybody may not be aware of all the small terms and conditions in the chat boxes which are fixed on the website, by sometimes, and the conditions of the data and you have no choice but to repair the problem.

Another problem that which we are right now here is how do we really ensure that the data which we say is private is really private?  Not just ‑‑ but even for the person who is custodian for the data.  So how do you really ensure that my data, if it is with environment of India, because the world's largest identity platform to identify the people and how do you ensure who accesses my data does not really have access to the data and use it against me or publicly make it available to somebody else.

How do you really ensure that?  How do we really ensure and build that framework out that really nobody has access to the data and this data protection, the information, if it's really protected, really ensured in a secure environment and available to the people who are the users for the time period.  I think for limited time, 3 or 4 minutes I was given, I'm able to share what I wanted to share.  If there are any questions at the end, I would be happy to answer.  Thank you very much.

>> MODERATOR:  Thank you.  Thank you, Ajay, and your sharing is very interesting of India practice on protection for personal information.  Thank you.  Now I want to invite Professor Jian to give us a speech.

>> JIAN ZHANG:  I will say I can deliver a speech in two minute, it will be the shortest presentation which I ever delivered, but the good thing is that previous speakers listed major issues, and I would just like to highlight one aspect which is extremely important for understanding of you as a policymakers and academics.

There is digital interdependence in the modern world on the level of society and at the international level.  This was also the title of the UN High Level Panel where I was Executive Director of the Secretariat.

One of the previous speakers made insightful survey of U.S., EU, and Chinese data policies, and if I can summarize, the U.S. focuses on the economy, EU focuses on the human rights, and Chinese focuses on the cybersecurity.

Now, what is the real problem and challenge that we face is that you cannot easily separate these in silos.  As we know in February, you had to negotiate trade and human rights internally within the European Union.  Trade and human rights aspect.

What I'm seeing every day in Geneva where I'm based is that many countries and the international organizations face a problem of dealing with data in silos.  You negotiate in trade organizations and it is question of free flow of data and e‑commerce, but by the way, both European Union, China and U.S. and Russia are part of unilateral negotiation, but they focus on free flow of data across national borders.

Then you move to the Human Rights Council and you have privacy discussion, and then you move ‑‑ and I'm speaking about three kilometers of the radius and then you move literally physically, you walk to the international standardization organization and you discuss standards.  Another half kilometer, WHO, data and health.  And then another half kilometer, ITU, telecommunication infrastructure.  And what is the real problem for many countries and I think I would say all countries is that they access this through the policy silos.  One group is discussing in trade, literally, you have mission in Geneva to the trade, WTO, and to the UN.  The other group goes to human rights, the third group goes to technical discussions, and sometimes they have a small collection on confusing conflicts, country argues for one position in trade and other position in human rights and third position in the telecommunication infrastructure.

It is going to be huge challenge for governments, for Civil Society, for businesses to reconcile different aspects of the trade of data policy, economic, human rights, cultural, technical, and security.

And I would say that this is probably, and this is really the shortest presentation I have ever made.  It is probably the core message.  Try to think out of the silos and outreach to other communities, within governments, international organizations, try to learn the language of other community because it is the same issue, data, but viewed through different glasses.  Thank you.

>> MODERATOR:  Thank you.  Thank you, Professor.


Professor is Executive Director of Foundation and remember first you project for the united capacity building program, and I think that is 50 years ago.  Yes.

And a lot of things in this program.  Thank you very much.  And I think time is the reason I must say and maybe we have no time to share your ideas and I think that in the past several years, there is some major developments in the Asia‑Pacific region and with regard of the privacy and the security laws, and as flow of corresponding information continues to grow, we are expecting to see more and more exchanges and changes to privacy laws in the Asia‑Pacific region, and we hope that this workshop can help us to all achieve clarity on some questions, and I hope that all the participants from this panel can understand, and I hope that not only in this workshop, but outside we can continue to discuss about the same things.  Thank you for your joining us, thank you for your participation.  Thank you.