IGF 2021 – Day 3 – WS #80 Trustworthy data flows – what’s at stake and what is needed?

The following are the outputs of the captioning taken during an IGF virtual intervention. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid, but should not be treated as an authoritative record.



>> TIMEA SUTO: All right.  Two minutes until we start the session.  Feel free to grab a drink in the meantime, and then we will be getting on very shortly.

All right.  I believe we are ready to start our session, if I can just please ask everyone who is still here from the previous session to take your seats with us, and stay with us for the next conversation.  My name is Timea Suto.  I will be moderating this session on behalf of the International Chamber of Commerce and this is trustworthy data flows which is at stake and what is needed.  We have an amazing panel with us today, connecting ‑‑

>> We all live in a digital world.

We all need it to be open and safe.

We all want to trust.

>> And to be trusted.

>> We all despise control.

>> And desire freedom.

>> We are all united.

>> TIMEA SUTO: All right.  Let's start that again.  My apologies.  I forgot that we are always starting the sessions with the IGF official introductory video.

So starting again, thank you for everyone who is joining us in Katowice or online.  Good morning to those of you who are just waking up.  Good evening to those of you who are trying to bear with us at the last hours of your days.

As I said, my name is Timea Suto and I'm with the International Chamber of Commerce.  I'm joined by an amazing formal, Mr. Norm Barbosa from Microsoft, general manager and associate general counsel for lawful access and telecom, Mr. Michael DeSantis, a senior policy advisor and economic development for the government of Canada, Mr. Lawrence McDonald, privacy and public policy manager at Meta.  Ms. Gallia Daor, with the OECD, and Ms. Lee Tuthill with the WTO and Mr. Joseph Whitlock, director of policy at the Software Alliance, BSA.

I'm also joined by my colleague Georgie Anna, who will be moderating our online conversation and Ben Wallace from Microsoft.  So thank you, everyone, for being here with us.

I don't want to take up too much time in introducing our session because I do want to make time for conversation with those of you in the room, in person, and virtually.

And also, for conversation with obviously our amazing panel.

Just a few words for introduction.  What is this session about, and why did we feel that it is important to organize a session like this at the IGF.  We hear a lot of conversations about data, data flows, why they are important, that data is everywhere.  But just to put some numbers to this, this conversation, data transfers are estimated to contribute around $2.8 trillion to the global GDP.  This is a share that exceeds the global trade in goods, and it's expected to grow until $11 trillion by 2025.  This is a value that is not only shared by the digital sector, the technological company or the telecommunication companies, it's shared by traditional industries like agriculture, logistics, manufacturing and it actually realized about 75% of the value of data transfers.  And we have seen in the past years with the COVID pandemic how the resiliency of economies and the societal is so much depended on the uninterrupted flow of data between countries but nevertheless, while the data flows are so important, we are seeing both citizens, companies, and government's trust in international data flows and the technology they enable dwindle and erode, about data protection, consumer rights and universal human rights and freedoms, including privacy rights and the lack of clarity and transparency and consistency between national approaches with cost access to data held by the private sector.  These increased concerns reduced the trust that we all put in digital technologies and may discourage citizens, the private sectors or the government's participation in global digital economy, and this cannot only negatively impact the economic growth but the societal well‑being.  And try to offer an opportunity for all of us to think together and explore potential solutions.

So as I did now, I'm lining up both the positives and the benefits of data and the challenges that we're facing, this session will do that too, in two parts.  First, I will turn to your panelists and ask them, what is at stake here?  How do they feel about data flows, their industries, their sectors, how do they benefit and then we will try and explore together in a conversation what the solutions might be.

I also invite all of you who are following us in the chatrooms, both of you here in Katowice, and in your own offices or rooms at home, to use the chat, while our panelists are speaking to share your experience and to pose your questions in the chat as well, which we will be moderating.

So with ‑‑ without further ado I will be turning to our first speaker, and I will ask Ms. Gallia Daor to give us an introductory discussion on the role of data for growth and well‑being and to share with us a little bit what are the OECD's private policy objectives to help both governments and society at large to harness this potential of data.  Gallia, over to you.

>> GALLIA DAOR:  I'm very happy to be part of this very important conversation.  Just like you said, to maybe kick start our discussion, I know some of the other panelists will sort of elaborate more on some of these parts but to give the overview of what the OECD sees as the role of data for growth and well‑being.  So I think ‑‑ and that was sort of really clear in your introduction but it's obvious to all of us that the data economy is the economy now.  There's no sort of business operation without data or without data flows.  It's essentially to the delivery of public services.  It's critical to innovation.  And over the past two years, for sure, with the COVID pandemic, we have seen that sort of the ‑‑ the flow of data and in particular, the international flow of data was essential to our ability to interact with other people, to continue working, to continue learning, to access healthcare, and was also an important part of initiatives to ‑‑ to fight the pandemic itself, sort of in tracking and tracing of contact cases and, of course, developing a vaccine, and treatments.

So I think ‑‑ I think sort of the importance of cross‑border data flows is ‑‑ it cannot be overstated and I think another important aspect of this conversation is the technological development that sort of underpin it.  So if we look at artificial intelligence or the Internet of Things obviously the cloud, these things sort of enabled and faster and cheaper collection and storage and processing of data that allows all of us as individuals, businesses, governments to make most of this important resource.

But I think the critical point and I think the heart of our discussion is that we cannot make the most of this ‑‑ of data without being able to access it and share it, and the access and the sharing of data also raised these important questions that you alluded to, of the real and perceived risks to privacy, to security, competition, intellectual property rights, bias, and sort of important questions around the right incentives or the way to incentivize the right way to access and share data.

And so from the OECD's perspective, over this and the next year, we are ‑‑ we have undertaken a cross‑cutting projects on growth and well‑being.  One is to improve our understanding of data and for that we can think of sort at least three elements.  One is the use ever data to drive growth and well‑being in different sectors like the ones I mentioned before, sort of health and education, and energy, agriculture.  A second element is to have a more nuanced understanding of data because I think the conversation around data tends to focus on personal data, that raises important questions but a lot of the value that comes from data has to do with nonpersonal data, if you look at specific industries like agriculture, for example.  

And this raises a different set of questions around the ‑‑ the flows of nonpersonal data.  And the third element is perhaps the numbers.  You mentioned the contribute to GDP, but it's hard to put specific numbers on the value of data because it's so context dependent.  It so depends on when and what other data you have and what you do with it.  So it's hard to get numbers to measure its value.

And then the heart of the policy discussion is our support to governments in developing or revising their data governance policies and strategies so that they can help themselves and their businesses and their citizens navigate through the tradeoffs of data governance and sort of bring value and growth and well‑being to all of us.

I will stop here, and I look forward to the discussion.  Thank you.

>> TIMEA SUTO: Thank you very much.  (feedback).

I need to make sure which mic to mute and unmute when I'm both virtual and in the room, but I hope I will do better by the end of this session.

So thank you very much for that Gallia, it was a great way of introducing the topic and posed the most pressing questions from what is data and how are we measuring that.  I think that is the first thing that we need to think about when ‑‑ when we try to find the right policies around this.

I'm turning over now to Joe Whitlock from BSA.  We have heard Gallia mention the OEDC's efforts policy making by governments.  How do you see the rules of data flows for the private sector and how are businesses of various sizes benefiting from data flows?

>> JOSEPH WHITLOCK: Thank you.  Thank you very much.

So the ability to transfer data security and responsibly across transnational IT networks is critical to many economic and social, data transfer supports recovery and they support economic development around the world, digital connectivity, sign err security fraud prevention and anti‑terrorist financing and many other activities tar related ‑‑ that are related to health, privacy and regulatory.  And it supports the global supply chains, an issue of prominence today.  And innovation, productivity, environmental responsibility in every sector of the economy.  75% of the value of data transfers is estimated to benefit sectors such as logistics, manufacturing, and agriculture.

So we have seen a great deal of evidence around this, and much of that evidence is going to produce by the OECD, but a number of other organizations as well.  We are seeing a lot of negotiating among the countries ‑‑ tonight we saw an announcement that the UK and Singapore have concluded their agreement in principle on a digital economy agreement.

Yesterday.  United States and the UK announced a number of data transfer initiatives bilateral and an Indo‑Pacific initiative with a focus that will include a digital prong and digital transfers about the United States.  Why is all of this negotiating activity occurring?

It's occurring in part ‑‑ and I should not leave owl the WTO and a number of other outstanding negotiating initiatives.  But it's occurring part because of the growth of what we see as data nationalism around the world and that's essentially the view that all data generated in a particular country must remain within that country.  If we see those types of measures proliferate around the world, it will be incredibly damaging.  The policy objectives and the government objectives that I outlined at the outset, just to give one clear example, we would not have a COVID vaccine today, if it weren't for the ability to transfer data.

And the last comment I will just make, perhaps previewing other comments is that, you know, we do have a number of international regulatory frameworks that we can draw upon to think about how do we balance the interests and preserving and safeguarding secure and responsible data transfers with the ‑‑ the right to regulate, with the governmental right to regulate.  I think one place to look is at WTO norms.  The flow of goods across borders and the investment across borders, those flows, international flows are all subject to a number of safeguards in the interest of commerce and the interest of rights of governments to regulate and those safeguards ensuring, number one there's a resumption in favor of the international trade and the international flow and on the other hand, recognizing that governments have the right to regulate when necessary, and when they do so, they should regulate that's nondiscriminatory and transparent and consistent with good regulatory processes.

>> TIMEA SUTO: That's the greatest segue to go to the next speaker, Lee Tuthill.  You have an amazing long and productive experience with trade discussions.  What do you think about this question that Joe has primed for us, are barriers of data flow trade barriers and how do you see the connection between the two?

>> LEE TUTHILL: Well, let me back up a minute because I think that in WTO and my area was services, particularly ICT services and I think since the 1980s, when we observed that at least initially industrialized competencies were becoming very services oriented, and now many, many economies are services oriented.  I think we realized from the beginning and the negotiations years ago on services trade that services were highly information dependent.

So even in the early days, we did create some rules dealing with movement of information and the access to the infrastructure, to move information through ICT networks.

So I think that's been long in coming.

What we are seeing today, people are wondering do we need more, do we have enough as essentially everything has gone online.  Information intensive for decades have been sectors like financial services, tourism, and a lot of knowledge services, ICT.  I mean years and years ago, I got a phone call from a computer services company we started supplying our software online.  And in those days as email attachments to customers and what should we do?  We're not trying to evade, you know, duties.  You know, how can we defend ourselves if the government accuses us of evading duties.  So that was a concern even before the current discussions on digital trade and everything.

You have the infrastructure level that deals with the data flows very much, of course the telecom and the ICT are the transit tubes for this.  The logistics sectors which is an infrastructure, very much for goods has been highly data flows intensive for a very long time, initially using satellites before Internet technologies were available, and still, using satellite networks to some degree, and more recently, the online distribution services channels.  I mean, all of these need not only domestic connectivity and domestic data flows to operate smoothly but international ones as well.

You have the marketing platforms and the telecom and the lost logistics are by definition global and tourism and financial have long been global industries.  So as they went digital and they started, you know, moving more and more information around the world, clearly it was going to be a problem as barriers came into play.  I think when you speak of barriers ‑‑ oh, the benefits, I think are very interesting because you can see in the example of the tourism industry, huge cost savings affecting their bottom line and much greater efficiency in tourism and many other sectors that began to use global data flows to manage their business and trade and companies that were less global before could so much more easily go global.

Now the barriers and I know it was inning to see the previous speak ‑‑ interesting to see the previous speaker cut it in a certain way.  I'm cutting it in a certain different way.  The layers of data flow have to deal one with the infrastructure, two with what is really a huge back office function of data flows, in terms of what makes a company work, and finally, the content level.

And I think that different solutions need to be looked at for those different layers in many respects Member States do not ‑‑ would not like to see the infrastructure layer interfered with and that's really where things like data localization as a trade barrier hit the most in terms of the way the Internet actually works and not allowing it to work as it would.

I think that there's a lot of concern about loss of national jurisdictions, and governments are concerned and may overreact.  On the other hand, you have governments that are a little concerned that the bad actors are getting away with things.

Now, I think the days when we thought of Internet as a utopia where everyone would be informed, everyone would be able to contact everyone, and it would all be a very nice place, that's been proved wrong.  And question avenue had to realize you can't ‑‑ and we've had to realize you can't have the wild west anymore and total unregulated sector, but I think that the solutions for how to deal with the bad actors and that goes far beyond privacy, I would agree, that it also includes things like fraud and things like hacking, and a lot of misinformation.  It has to be dealt with that doesn't interfere with the benefits or at least to a minimum degree would not interfere with the benefits.

So I think that that is something about trade barriers, depending on the layer, trade barriers depending on the sector can affect data, but I think we have got to have the regulators, in particular, talking to one another and I think we will get back to that in the next panel.

>> TIMEA SUTO: Thank you very much, Lee.  That's quite an impressive list for all of us to reflect on and we are only halfway through the panel.  So we will still have a couple of questions to explore before we turn to the solutions.  I hope we don't depress everybody with some of the challenging problems that we are identifying over here.  Norm, I wanted to talk to you a little bit, we heard from Gallia, about the various types of data, and we heard from Joe around the nondiscriminatory regulation and trade.  And Lee from a number of perspectives around data infrastructure processes and content but we have not discussed security.  I hope you can enlighten us a little bit around that.  We have a number of ideas around how security ‑‑ data security and data protection is important.  But can we use data and data flows in our efforts to strengthen security?

Does it go the other way around as well?

>> NORMAN BARBOSA: I'm happy to see you and others here.  Micro soft has been active in business and providing input to the OECD, and as the other speakers have highlighted, there's so many incredibly important benefits to global data flows and we as industry, we have an interest in all of those various benefits both for our own business interests but more importantly for the interests of our customers, who include at this point not just consumers using the Internet for recreation, but increasingly over the last ten years, global businesses and governments who are seeking to use digital transformation.  So you see this is incredibly important.

Did I want to focus on one of the ‑‑ I did want to focus on one of the areas of benefits that come out of the global data flows that I don't think has received significant enough attention in light of the pressures against global data flows and that really is cybersecurity.

We have recently issued our digital defense report, which is a report we have been cultivating over the last couple of years to try to focus on the cybersecurity threats that we see at Microsoft, both through our own work with our customers, as well as in collaboration with governments and others and industry around the world.

And if you have reviewed any of that report many of the other reports about cybersecurity, the threats from malicious actors are not going away.  They are increasing.  We see increasing sophistication in those threats both from criminal actors and malicious acting states seeking to gain access to our customers, through hacking and vulnerabilities.  Two of the most recent attacks the solar winds attack was a prominent part of our report.

We provided over 20,000 notifications to our customers around the world that they had been targeted or compromised by malicious nation state actors in just the last year we see that as such an important thing to tackle.  The flow of data globally and the ability to have teams are globally distributed to look at those threats and correlate threats from different regions of the world, and hopefully identify them early.  That was critical to our participation in the solar winds investigation, our ability to see those vulnerabilities being used to attack customers not just in the United States but Europe and other parts of the world were incredibly important to our information sharing both with governments and others in industry.

And as we look at these that are coming to with the lawful access to data.  Primarily by the governments and governed by the rule of law, but with lack of enough transparency and certainty about what those rules, the concern we have is that this fear of illustrious is overcoming the threat by malicious actors.  We are looking for ways to ensure that as we develop norms and rules to govern lawful access we don't impose restrictions that harm our ability to protect our customers globally from cybersecurity threats, which present effectively the other side of the corp, unlawful access, and lawful access, both have a cost on privacy and security, and as we have seen recently with the rise in nation state attacks and malicious criminal activity, those threats are arguably much greater to the security and the privacy of our customers' data and data globally.

>> TIMEA SUTO: Thank you very much, Norm.  That was a clear explanation of what we need to be thinking about when we think about data flows and protecting our data.  This is something want to ask Lawrence about.  Norm has mentioned conversations around privacy and data protection.  So I would like to hear also your perspective a little bit about how the effects of privacies concerns impact the ‑‑ our trust in data flows.  How do varying standards and approaches to security and privacy impact us, impact data flows.

>> LAWRENCE MCDONALD:  I would like to thank the organizers for setting up this panel and giving me an opportunity to speak today at this really important conversation.  I would like to echo a lot of my fellow panelists who talked about the free flow of economic data opportunity and the importance for best security practices.  Those are very important for us here at meta.  Also, I would like to highlight another point that I don't think has been touched on.  We talked about ‑‑ the free flow of data is critical for access to information, privacy, freedom of expression and opinion, and it enables communities to safeguard those rights and hold violators accountable.  It is very important, and all this depends on the approach to Internet Governance that protects the free flow of data that it's private and secure.  A lot of panelists have talked about how they are trying to find regulations nor the first time which is very positive, however, the increase in the data sovereignty have increased regulations that underline many of the ‑‑ of the issues that they are trying to resolve, and so we're seeing a lot of regulations and data localization, that undermine privacy, security, economic opportunity and have serious human rights implication.

So this they risk vulcanizing Internet to region and state silos.  Any kind of communication, any kind of data flow, it's in just the way it's made, it's sent all over the world.  So we are all joined here.  I'm in New York, and many of you are in different parts the world.  And through the data flows that happen they could be going to South Korea, to Japan, to parts of Africa to increase the ‑‑ the quickest route, and make sure that they're flowing with trust and security.

So the Vulcanization of the Internet is very threatening from the regulatory stance and human rights perspective and best practices perspective and rather than restricting or prohibiting data transfers that promote cross‑data transfers and protect the users' privacies and fundamental rights and I will leave it at that.

>> TIMEA SUTO: Thank you very much.  An important bit, I think that you touched on there is really on how does the Internet work and how data flows really underpin a communication like this one or just a simple sending of an email that we take for granted over the year.  And when we think about sometimes these important questions, we miss that connection of how the Internet is set up and how it works, and we only think about the ‑‑ going back to what he was talking about, the different layers of the Internet.  We think about the content that is moving on top of all of these layers, but we do need to think about this in a holistic way.

And of course, turning to Michael, our last panelist, it's not an easy feat on the governments would ultimately take the regulatory decisions on how you balance policy objectives of what we have heard around growth, competitiveness, economic benefits and innovations with conversations around and concerns of users around privacy, consumer protections, human rights protections.  Do you see this as a zero sum game?  Is this a question of either or how do governments approach making policy around these issues.  Michael over to you.

>> MICHAEL DE SANTIS: Thank you for inviting me to the panel and the question.  I would argue that innovation is assisted and not improved by privacy protection.  Is Canada recognizes that sound privacy and data protecting practices are a competitive advantage in the digital and that trust drives growth.

In Canada, we benefit from a strong and flexible privacy regime that establishes pretty effective balance between the needs of businesses for information, and also while respecting the privacy rights of individuals.  So at the federal level, we have the Personal Information Protection and Electronic Documents Act or PIPEDA and that's Canada's private sector private law that would apply in the act of commercial activity.  Based on international principles such as meaningful consent, PIPEDA balances it with the legitimate needs of businesses and they promote and promote the online marketplace.  It's unique in the way that it permits cross‑border data flows.  So PIPEDA does not prohibit organizations from transferring personal data to an organization outside of Canada for processing, however, it does require organizations remain accountable for that date, that goes cross‑border.  There's consent and accountability.  A company that's disclosing personal information across the border, including for processing must obtain consent from the individual and the form of the consent depends on the tensity of the information at issue and the individual's reasonable expectation and the circumstances.

Accountability in the same context means when disclosing information to a third party for processing a company does not relinquish control of the information.  And what that means is regardless of where the information is being processed whether it's in Canada or somewhere else in the world, the organization must take all reasonable steps to protect it from unauthorized uses and disclosures while it's in the hand of a third‑party processor and this is usually by means of contract.

So I'm sure everyone here is familiar with the EU's General Data Protection Regulation.  Under the GDPR, personal information can only flow across borders if specific conditions are met by the controller and the processor, and just generally, those are adequacy, and contractual clauses between parties certification schemes things like that.  I think that PIPEDA is actually an interesting contrast to the GDPR for cross border data rules because it's less formal and more flexible and that lack of formality and flexibility makes growth and envision easier for firms that don't want to operate in Canada.  PIPEDA requires them to have a degree of control and this control persists even if their data is transferred across an international border.  So I think it presents an interesting case for people to consider.  That's all I have to say about that.  And thanks for your attention.

>> TIMEA SUTO: Thank you very much, Michael, I'm sure that you will have more to say about that and other processes as well.

We will contribute to that discussion.  It's not an easy conversation to contribute and have solutions.  For.  We have shared a couple of examples of roles of data and the barriers that our speakers have identified that we need to think about when looking enhancing trust in data flows.  So before I turn back to the speakers and ask them about solutions going forward, I want to turn a little bit to the audience for just a few minutes here and see if there are any examples, ideas from your line of work, your sector that you are involved in, your organization on how you see data flows assisting you in the daily jobs that you do in your activities or what are the challenge that's you face?

You can put your hand up and you can come up to the microphone here at the corner of the table and ask your question.

And turning to the chat, I see there's a question.  And I will ask one of the panelists to volunteer to answer.  Ahmed is asking what are the panel's thoughts on shared prosperity from cross-border data flows, given the global data related divide that's emerging based on the dominance and the geopolitical nationalists have in the current data economy.  So how do we share prosperity and benefits of data across the various parts of the world?  Would anyone like to venture to take that question?

Norm, please.

>> NORMAN BARBOSA: I will jump in.  We are actively working in a number of jurisdictions, including Africa to work towards greater sharing of those benefits throughout the world, and I think the development of data centers and the expansion of operations of not just the global giants, like my company, and some of the others that are represented on this panel, is going to be very important to share in the benefits and other parts of the world, including Africa.

>> TIMEA SUTO: That's great to hear.  I'm sure our speaker or the person who asked the question.

>> JOSEPH WHITLOCK: I would like to add a little bit as well.  It's a great question and an important issue to address.  One resource that's a very resource on this, is a recent report on cross‑border data flows and then last year, the World Bank issued a report on data for development, both of those are excellent, comprehensive reviews of the types of questions posed.

Just to take an excerpt from the UNCTAD, the divergent nationalism, this broad issue that we referred to, is threatening to the interests ‑‑ the collective interests but the interests of the developing countries in particular, in so much that it will need suboptimal domestic regulations and reduces mark opportunities for MSMEs and reduces information and data sharing specifically.

So to the extent it's restricting transfers.  That is counterproductive and harmful and there's much more that the countries around the world can do to help with cross‑border access to data and one of the things that I think is worth noting and it's a fair criticism of a number of countries who focused on the data agreements.  United States has made commitments to guarantee cross‑border access to data and data transfers with Mexico, with Canada, and with Japan, right?  And the United States negotiated those, but we don't see them having been negotiated with other countries around the world and we would certainly welcome, you know a more active US from the US perspective, a more active US negotiating position and engaging in these types of negotiations with Kenya and other countries around the world.

>> NORMAN BARBOSA: Thank you, Joe.  I see Gallia and Lee.  I assume you are adding into Ahmed's question.

>> GALLIA DAOR:  Maybe a comment from the OECD which works on the development context more broadly.  So, in fact, by the end of ‑‑ in a few weeks or maybe early January, we will come out with a report or sort of flagship cooperation report that will focus on the digital transformation in developing countries and I think one thing that we see as sort of the challenges are similar but different between developing and developed countries but I think sort of a strong emphasis on access and a strong emphasis on skills are really important.  And sort of another thing is maybe to have a ‑‑ the international forum for conversation.  So the OECD is one place and there are others but just to have different countries and the different voices represented.

Thank you.

>> TIMEA SUTO: Thank you very much, Gallia.  Lee, go ahead.

>> LEE TUTHILL: Yes, I think Joe addressed my concerns about digital nationalism already, so I would just say that it can come out as protectionist and antitrade, and in that respect, would hurt everybody in the global economy, and all the traders.

In respect to succeeding in the digital space, I think that it's a misperception that you are going to have to be big or you are going to have to be one of the global winners for it to make a difference.  I think for small economies and small companies, the digitalization and the use of data can have a huge impact.  It won't put in play company perhaps in the top ten lists that we constantly see.  But you can make a difference for some suppliers in Africa between making an income that sends their kids to school or not.

I think the concern for the divide is not so much who is big and who is not, but that you may well have, for those people who want to trade and do international business in developing countries, you may have a higher incidence of connectivity within the capital.  You may have a higher incident of connectivity amongst businesses than you have amongst ordinary citizens and that helps them get a leg up.  Again, you do need the skills development to make that work as well.  Thanks.

>> TIMEA SUTO: Thank you, Lee.  I want to thank the participants in the chat for the questions and helping me as the moderator.  I actually wanted to ask questions to guide us towards solutions, and what brings us forward here.  I'm very glad that you are thinking of the same questions over here.

I see a hand in the room as well, so please if you could just introduce yourself and ask your question.

>> PARTICIPANT: Hello, everybody, my name is Jacques Begley and I'm co‑secretary of Swiss IGF.  A rather positive discussion we had at the recent local IGF, and in particular, the ‑‑ the discussion went about the impact of digitalization in times of COVID, and from the research community, it was very positively noted that thanks to the fact that mostly unhindered exchange of data on research, COVID research, that this was really something to develop adequate treatment, adequate vaccines, adequate whatsoever in these times.  So this is a very ‑‑ it's positive.  Mostly it works well.  It's just ‑‑ we just have to make sure it's not getting worse.

>> TIMEA SUTO: Thank you, Jacques.  Let's think about what's at stake here and what we can do to maximize the benefits.  And trying to address that the panel was productive in enumerating.  I want to turn to Roger who has a question here in the room as well.  This is a related question, a young ambassador from the Internet Society.  Would you like to take the microphone or should I read it out?

>> PARTICIPANT: Yes, can you hear me?

>> TIMEA SUTO: Yes, go ahead.

>> PARTICIPANT: I think Michael touched a little bit on this point but I wanted to hear this.  Do you feel it's been a necessary approach that's been rendered ‑‑ I know it's not that old, but has ‑‑ when, like, good results or do you feel that there is more of a kind of, like ‑‑ (Garbled audio)

And at the same time, impacting ‑‑ important for economic development?

My question is if you can have just like an objective?

>> TIMEA SUTO: Thank you.  You were breaking up this for a second.  But if I understand correctly, would you like to hear from the panel whether the GDPR has helped move along more trust around data flows, or has itself been a barrier to some of these data flows, or if I can ask your question has it been both or neither.  Joy, your hand is up.  And then we will turn to Lee.

>> JOSEPH WHITLOCK: Thank you very much.  It's another great question.  I think we need to acknowledge that there is a real trust deficit, real concerns about the security and the privacy of information in the digital networks and the GDPR has been incredibly helpful in moving the ball forward to address that issue.

On the question of data transfer mechanisms specifically, I would like to harken back to comments that Michael had made, two principles are especially important being the principal that data privacy frameworks should operate interoperably, between jurisdictions so that data can continue to flow.  An so it can flow with security and responsibility and then secondary, the accountability protections and the jurisdictions in which the data originates will flow with the data is incredibly important.

And then the last comment is adequacy is one mechanism and the GDPR has standard contractual clauses to end and addition mechanisms and code conduct and certifications and the other interesting model that will be increasingly important in the future are the APAC CBPR rules as well.  I think there's a very good framework for us to ensure responsibility, security and trust in data transfers.

>> TIMEA SUTO: Thank you, Joe.  I see both Michael's and Lawrence's hand up.  Sorry Lee, I think the one I saw from you might have been an earlier hand up.  Let mess turn to Michael then to Lawrence.

>> MICHAEL DE SANTIS: This is something that we encounter in Canada I will argue it both ways. So sorry for taking the easy way.  The GDPR has raised the profile of privacies is a question in many people's minds and something that's important to them as, you know, our economies become more digital and more connected.  I'm sure like everyone on this panel, a got a flurry of emails in my inbox, when the GDPR came into force.

For me, I through it was happening but a lot of my trends and colleagues‑no idea that it was going on.  The GDPR was important in raising the idea of privacy around the world, and I think provided a very good scheme to protect individuals and enable the flow of data across borders.  Now, that said, I can say from the Canadian perspective, that the system is fairly complex, especially for those not dealing with the EU.  98% of our businesses in Canada, and many of them are not well equipped to something a complex regulatory environment like this.

And so in that case, things get a little more complicated and I'm sure with firms around the world, this issue is the same.  The rules are somewhat complex and detailed and if you are just sort of a pretty everyday business, it can be a complicated thing to adhere.  At the same time, the degree of complexity that it poses can be a challenge for some smaller firms in particular.

So splitting it both ways.  Once again for a little pitch for PIPEDA, the sore of less formal way might be ‑‑ the way PIPEDA proposes may be something that the states want to consider, compared to the formal adequacy scheme, such as the one posed bit the GDPR.  Are.

>> TIMEA SUTO: Thank you.  Next on my list is Lawrence and then norm.  Please.

>> LAWRENCE MCDONALD:  This is a great question, and I think one of the panelists, I think it was Joseph, spoke a lot about what I was going to talk on.  It has raised the profile of privacy around the world.  And it's a great initiator.  I'm seeing a lot of privacy laws that are enacted pretty much verbatim on GDPR, which is promising.

As data localization, some of them create at times ‑‑ or first, let me back up a second.  GDPR does have alternate mechanisms.  You talked about code of conduct, vital and public interest, other mechanisms that are alternatives when the receiving country does not have an adequate decision, and those have been really important too.

One thing I know from the US perspective.  Sometimes adequacy protections can take a long time.  I think there are only a few countries that adequacy.  This can take a long time, especially for developing countries to access markets or state‑of‑the‑art tools and technologies or expanding the SMEs and this could be critic in their growth and expansion.

It's very important for them to have these alternate mechanisms.  It will just ab adequacy decision, which results in a de facto data localization regime, where it's saying, oh, you have to have adequacy decision or approval from a regulator, which can also take a long time and is there are not clear‑cut rules on how you get this approval from the regulator and it results in this highly burdensome environment that add additional trade barriers and make it difficult for companies of all sizes, particularly small companies to navigate this global regime.  That's regional frameworks, such as APAC, within the CPTTPP, the shared understanding that there will be no restrictions on data flowing within Member States.

And so they are trade agreements and there's cross border flow.  It's positive and there's some things to fix, but I will leave it there at that.

>> TIMEA SUTO: Thank you so much, Norm.  Over to you.

>> NORMAN BARBOSA: I think like any regulatory framework, we are continuing to learn where the barriers are, but as a net positive, GDPR has clearly been an incredibly valuable addition to the global regulatory scheme, while it has likely slowed things down in terms of development of the internet in the short term, as Michael has pointed out.  It's shined a light open incredibly important issues so we absolutely see it as a very positive development globally.  In many ways it adds complexity and it also oversimplifies the challenges of data flows.

An adequacy overview looks at the bilateral fashion, the EU to one country in a time.  There's no such thing as a solely bilateral Internet connection.  These are multilateral issues.  And that's why we are supportive of efforts like those in the OECD to bring together a broad multi‑stakeholder set of Member States, as well as industry to discuss, you know, what are the principles that should govern trusted government access to data and not just a bilateral fashion, but in a multilateral fashion.

>> TIMEA SUTO: Thank you, and the note of sort of humility, I think, of all of ours would think we understand and have the solutions is very welcomed from you, Norm.  It is an increasingly complex system, with myriads of devices sharing information across the world, with very different situations and very different backgrounds, no the just of the device and the infrastructure and ear things.  So there's a lot of variants.

I want to get back what is the receive that we need to create for ourselves to understand how this works, what is the environment that we need to create for ourselves to help share our understanding in ‑‑ of this increasingly complex system, because finding a solution around increasing trust in data flows will ‑‑ will inherently have a lot of hits and misses.  We will need to be able to test our responses the way we test our devices and technologies, and there's going to be a lot of iterations. What is it that we can learn from other discussions that we've had?  Somebody mentioned the trade negotiations.  Is that something that we can take as an example to apply here.

Are there national approach like Michael mentioned that we can take away?  What can we take away as a springboard to start our global conversations around creating this policy environment?  So I want to turn to each one of you in the panel with the same question, what it is that we can take away as learnings and then with the little time that we have left afterwards look into the audience and try to see if you have some of the parts of solution, because if I may say so myself, I don't the we have the solution yet, but perhaps we can put the pieces together.  I will start with Michael and then to a round Robin of the panel for the same question.

>> MICHAEL DE SANTIS: Thanks very much.  So I would say speaking as a person who works for a national government, I think a couple of things that our costs can do to promote the cross border standard flow, to encourage international collaboration.  So we have all been discussing how data is an important resource the companies use to make them more productive and develop better products and services.  And, you know as a result of the increasing use of that data we need to figure out how to structure, secure it and govern it.  In Canada, we had the discussion in 2019 at the Standard ‑‑ Councils of Standards, where we convened about 220 experts and stakeholders from across government and civil society to create recommendations for clearly defined standardization around data governance.  That provides a detailed description in the Canadian context of the standardization landscape and made 35 recommendations to address gaps and explore new areas where standards on confirmative assessments are need:

We believe this will help Canada build a safer and more secure digital infrastructure which founded on quality, trust and ethics.

I would also note that in the Canadian budget of 2021, we have made had an effort to further strengthen data governance.  And the government of Canada is looking to have a data commissioner which will serve our government and businesses on data‑driven issues and help to protect people's data and encourage the innovation of the digital marketplace.  We believe it will help Canada support sign err security in the increasingly digital and online world and it provides a benefit to small and medium firms.  They make up 98% of all businesses that operate here.

We want them to adapt to new security challenges.  We acknowledge that cross border data knows are increasingly important, as we have been discussing an integral part of the digital economy and Canada considers the free flow of information, across borders while maintain privacy to be an important strategic objective.  So we participate in the economic for cooperation development, the Asia Pacific economic participation, and are actively engaged in initiatives that aim at ensuring there's interoperability cross‑international rules of personal information for in the context of trade.

Canada has this in recent trade agreements on cross‑border flows and this includes the comprehensive agreement and the Canada/US/Mexico agreement.  It's to Canada's advantage to make sure they stay current and flexible and ensuring an adequate level of protection for users and their data and for jurisdictions where no privacy laws exist.  We explore and promote alternative and code conducts and adherence to standards.

For example, can Canada is reducing barriers by establishing a correspond set of rules.  So for all of these reasons from a Canadian perspective, we feel that both standardization strategies for data govern answer and increased collaboration can help promote the free flow of data across international borders.  Thanks.

>> TIMEA SUTO: That's great.  So Michael speaks not policy environment puzzle standardization at home and interoperability of standards when we think about collaboration globally.  So I'm noting that one as first piece to the puzzle and turning to Lawrence to add his.

>> LAWRENCE McDONALD:  I would like to agree with what a lot of presenters already said today.  We talked about interoperability and ensuring that the frameworks that are written can be ‑‑ are able to work within other frameworks that exist and a lot of people here have raised ‑‑ or a lot of the attendees have asked ‑‑ and I have attended a session that was focused on the free flow of data with Africa, where a lot of them are entering the digital economy or are currently operating in the digital marketplaces.  They are not setting themselves off from the global digital companies should look to do that.

We talked about APAC CBPR which is a good framework to pull from and trade agree elements.  So we are supportive of having multi‑stakeholder engagements like this one where we pull people from the private sector and public sector to talk about the benefits of cross‑border data flows and to make people aware of the potential harms that can arise from overly burdensome restrictions on data flows.  What is important is the interoperability and making sure that we conduct truly multi‑stakeholder engagements and engage all members of society and make sure that these frameworks as we said before, are not attempting to restrict doctor ‑‑ are taking into account the technical nature of the Internet and how data flows all over the world and every single minor interaction that we have.

It's important to engagement with the folks from all parts of society so that regulators understand the implications and do understand the nature of technology and, yeah.  I will leave it at that for now.  Thank you.

>> TIMEA SUTO: Thanks so much.  So adding more pieces to the puzzle, multi‑stakeholder engagement, but informed multi‑stakeholder engage.  That we know what we are talking about and that the data has potential and challenges are, but also we now had this links with other layers what we find and see on the Internet.  This is not the just the data layer and the content layer but the actual setup of the Internet system.

Pieces of puzzle that is getting bigger.  So I'm curious what Norm has to add to it.

>> NORMAN BARBOSA: Thank you, Timea.  Truly bringing in voices from a very broad range of expertise and interest to help guide principles in this area.  We have seen too often the discussion ‑‑ these discussions can get siloed with one set of experts or just a particular sector or nations, we need to bring in the law enforcement and trade officials, not just government officials but also industry and experts from civil society and then start from what is the issue we are trying to solve?  What is truly creating this trust deficit?  We all agree there's a trust definite is that's causing concern and raising artificial barriers to global data flows but trying to zero in on what are the real and then come up to rules for the road and providing clarity for citizens and businesses around the world.

Again, I could think that's one of the areas where organizations like this, OECD, we can bring together that wide pod body of expertise.

>> TIMEA SUTO: Thank you so much.  Various branches of same stakeholder group if I can say so, especially when we were discussing as you noted before, Norm, private sector held data would is around the table the government and the various branches as you said that goes into law enforcement, National Security Agencies and experts from the private sectors, various parts as well.  So I hope to see that collaboration coming together when we develop principles.

Turning to further panels to answer the puzzle.  Lee, how do you see, anything you would like to add to this?

>> LEE TUTHILL: Let me turn myself on here.  Thank you.  I think it's a very stimulating discussion and I think a lot of what my fellow panelists have said is very rich and useful to me.  Let me hone in on WTO if you talk about the principles for both policy and regulation, the WTO has decades of experience in trying to get governments to agree to common policy and regulatory principles.  But we also know it's extremely difficult, and our approach has a good side and a bad side on the one hand, you have common sets of principles and they are legally binding principles.  On the other hand, we leave governments to their own devices to figure out how to implement those principles and we hope we have the test of dispute settlement if somehow what they are doing is not consistent.  We have been very strongly sort of aware for decades that harmonization is not possible, when you are dealing with many governments, with different legal systems and different legal approaches.

So this idea of interoperability is a very interesting one where things do not have to be identical, but they have to work together and be moving in the same direction what I like to say, I think the GDPR is a good example of, I think ‑‑ Michael, I think was indicating ‑‑ is it a little too complex for some other markets to implement GDPR?  Have they got all the right answers?  There's even talk of tinkering a little bit with GDPR.  Another thing we can experience from the WTO is multiple governments could have the exact same law on the books and it could be implemented in very different ways and in some ways consistent with the precipitations of trade and in other cases the exact same law could be implemented in an inconsistent way.  My concern is that you have a empirical victory if the law is too difficult.

eCommerce began in 1998 and it discussed about not putting custom duties.  We had a moratorium that's continues up until this time, and then about four years ago we started discussions on rules with a spaller group that would be rules and principles for online trade, initially, we referred to it as eCommerce, increasingly we referred to it as digital trade from the WTO's perspective of the working definitions since 1998, digital trade and eCommerce are all covers and always were covered.

In those discussions, but one of the leading misconceptions that I see in the academic world, and also sometimes in the private sector, is we are creating new rules for trade that was never covered.  It was specifically addressed in the new rules we are talking about but it's totally inaccurate to say that existing rules within the WTO, particularly the cross‑border trade and services is not already covered.

I think what you are seeing is a need to create some clarity, create some specific ideas that can enhance of the existing coverage and to some degree maybe expand how data flows are covered by the WTO rules.

So I think it's important to remember that we have a lot going already in the WTO.  We have almost every dispute settle case under the services agreement has related to something supplied online.  It's capable of dealing with online activity but it's never had to deal with a data knows question in its own right.  And hopefully, you know, governments can work to implement some consistent policies by working together.

Now, I think it was interesting the comment about the bilaterally level.  I wonder in the bilateral level is tough.  What many governments have done bilaterally and brought it to the WTO and I thought maybe even beyond digital trade, that would be an interesting idea in the WTO but what I'm seeing it still isn't easy, even when you have existing bilaterals to use as the raw material, it's a still a difficult process.  Now, is it multi‑stakeholders.  In some respects, it's multi-stakeholder by default, just before the pandemic, when they were coming in are for the negotiations of e‑commerce, the governments were bringing more and more delegates with them.  They come from a variety of ministers and I was happy to see that because they were clearly discussing.  Private sector and trade associations were coming forward, not officially participating but providing knowledge seminars, and there may be two or three private sector seminars going on which in some cases did include some of the difficult society.  I think we have less of the civil society than we might want to see but you are never in the WTO going to have people sitting and negotiating what governments do when they form late their negotiating position is, you know, to try to coordinate with as many stakeholders as possible to formulate that position, to bring to a WTO meeting.

That can be a misconception that since they were not sitting at the table, they are not connecting very actively in many national governments.

When he don't want to lock in to solutions that are not capable to future technologies.  We need regulatory innovation.  We need, perhaps to use ‑‑ permit more of the regulatory sandbox kind of ideas.  Think I had there needs to be much more multilateral cooperation.  Now the WTO can only go to far because it relates to trade and even some things like sign err security and esignatures a variety of things that are trade related but it's not easy to get cybersecurity experts at the WTO.  That is not necessarily their job.

It's not easy to get cybercrime experts to sit down with WTO people although a lot of what they have is extremely important for trust and by definition for trade.

I would like to know what multilateral collaboration may be going on in cybercrime and cybersecurity.  I think they are equality important as privacy in terms of ensure that business and trade can function smoothly and by extension make sure that economies can grow and develop.

>> TIMEA SUTO: Thank you very much, Lee.  A lot of food for thought in refining what the others ‑‑ we don't need to have the same regulation but interoperable policy considerations, where we keep in mind the implementation, not just the same direction of implementation and direction as well to think forward in our approaches and have our approaches be flexible and future proofs much as possible and to have multi‑stakeholder agreements so our positions are informed.

And now, Joe, let's go over to you.  And then I'm looking at Gallia, who will have a very difficult job in contributing and summarizing this.  So just signaling ahead that I would also like to hear how the OECD is taking these advices on board for your project.  So Joe first for your two cents and Gallia not last word.

>> JOSEPH WHITLOCK: Thank you so much.  I would like to echo all of the prior comments and endorse them.  But maybe to ‑‑ to sum up a couple of points.  One is underscoring the critical nature of the interoperability and avoiding a siloed approach and ensuring a future‑looking approach.  When it comes to some of the specific data regulatory or international data regulatory initiatives the OECD's focus on trusted government access, and the law enforcement context, privacy‑related discussions, cybersecurity‑related discussions, those are very important to continue among experts in those specific fields but then it's also, I think, important and useful for us to think about some type of reaffirmation of what the broader international economic legal framework, the umbrella framework is that guides and binds core principles across all of those different areas, and to echo one of Lee's comments, it's absolutely correct that core disciplines already do apply to data transfers under cross‑border data ‑‑ I'm sorry, cross border trade and services, but a clarification that makes clear that in whatever area of regulation, countries will abide by principles of nondiscrimination and abide by avoiding restrictions on trade, that regulation will be necessary.  Those types of clarifications as it relates kind of broadly to data regulation would be quite useful.

It would be useful in the specific context of law enforcement acts and privacy and cybersecurity that we just mentioned, and it would be useful for futureproofing and providing touchstones.

One other comment, again, this does talk about the WTO, WTO has experience going back decades in providing these ‑‑ you know, broad principled framework for the interface, between trade and environmental regulation, and trade and standards, trade and licensing rules and trade and IP and customs.  So there is a broad international framework that has been tested and developed over decades that would be useful to reaffirm ‑‑ where it would be useful to reaffirm core principles.  Thank you.

>> TIMEA SUTO: Thank you, Joe and our last panelist.  We started with you, and we are ending with you.  What are the two cents around policy solutions that you see are the most important and how did the OECD take some of this on board when you think about policy advice?

>> GALLIA DAOR:  Thank you very much, Timea.  Thank you for the rich discussion.  It's difficult to try to summarize that or say something new.  I mean, obviously, I fully echo all the elements that the other panelists identified and I think some of the things I heard and that really reflect, I think the way that OECD works by nature, are the importance of the multilaterally discussion, of the multi‑stakeholder participation, and also sort of the evidence base that sort of supports us in identifying through this multi‑stakeholder input, identifying the best practices that are the space is for the guidance or for principles around this area of cross‑border data flows.

So I think maybe just to give sort of the two examples of concrete projects at the OECD has undertaken in this area.  So one example is the recently adopted OECD recommendation on enhancing access and sharing of data.  This recommendation was adopted by OECD countries in October, earlier this year.  And has a section that sort of relates to cross‑border data flows and provides sort of three main recommendations.  One about minimizing the barriers to cross border data flows and focusing on legitimate needs around that, and one concerns what elements these restrictions need to follow.  So they need to be nondiscriminatory.  They need to be transparent.  They need to be necessary and proportionate and one around the importance of international dialogue around this area.

And then eye second project that I will mention and that Norm has touched upon and Timea, you as well, the ongoing work with government held by the private sector.

It looks into a particular area of trust deficit in cross‑border data flows and to try to fill in this international gap by looking at what is common around country, so that we can promote trust around that and sort of one thing that I can say is that we have already identified a lot of commonalties around this.

And another thing and that is to echo what Norm has said earlier.  The cross‑disciplinary dialogue around this area, and so this echoes some of the Lee's comments earlier.

So we bring together and also the broader project, from national security, from law enforcement and have cross cutting dialogue together, I think I will stop here.  Thank you very much.

>> TIMEA SUTO: Thank you very much, Gallia.  And thank you to everyone who has contributed your thoughts to your really rich ‑‑ this really rich discussion.  I wish I have a magic button to push now to make a really quick summary and come up with the ideal solution for us going forward.  I unfortunately don't have that.

What I do have is a trusted rapporteur in the person of Ben Wallis.

>> BEN WALLIS: Timea, I don't know ‑‑

>> TIMEA SUTO: If we can, we will share the final summary online and thank you all for your input.  I think we might want to stop the conversation here.

>> Timea, I want to say something, because this discussion was very interesting, first of all my name is Pavel and aisle with the president of the council.  Ministers in per view.  We have the data transformation of the country, we just recently approved the cloud first policy, for ‑‑ for the public sector, and actually, we followed also the recommendations from OECD to be a detail by design government.  All of our services should be thought previously to be online, and we have been doing this boot camp so that our public officers can build this trust Mr. Barbosa mentioned there.  Is a trust deficit definitely in Peru.  And even when we have a personal data protection law, actually a very good one that allows data flows ‑‑ data transfers, right?

We also have a cloud first policy.  We still find that there is some myths around the public officers.  I don't think it's only policy because we already have.  It's that something that we can do in a multi‑stakeholder way to bring the trust that we need?  Because I think there is a gap.  I don't know maybe if you have any thoughts or anyone has best practices could share with us.

>> TIMEA SUTO: I believe if we turn to the panelists online, we might not get the answer we want, but I do want to open this up to those around the room, if you ‑‑ if you want to continue the discussion.

My two cents would be awareness raising and capacity building as panelists have said, not just around what we need to do in policy but also how the Internet works, how data flows work, what are the benefits that we all enjoy.  How the flows themselves, how the Internet setup at the different layers contribute to that and what is at stake if we ‑‑ if we lose that.

So that would be my two cents if anybody in the room would like to contribute to that, thank you very much.

For saying that and we can stay in touch as I said online.  Please type ICCBO to your comments and we will make the connections.  Thank you again, everyone, for participating here and online.  We've had almost around 100 people connect together here in the room, from Katowice and from every part of the world online.  So thank you for this amazing discussion.  We will share the summary and looking forward to continuing our conversation at the next IGF and in between.  Have a great rest of your day, everyone.  Thank you.