The following are the outputs of the captioning taken during an IGF intervention. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid, but should not be treated as an authoritative record.
***
>> JAVIER RUIZ DIAZ: My name is Javier Ruiz Diaz. It's a global coalition of consumer organizations from all around the world. We have 200 members in over 100 countries and we are here today together with consumers Japan and APC, the center for progressive communications and we put this workshop together, as you saw to try to start promoting some collaboration in the region around the issues of data governance, because as we see, the Asia Pacific region has got a lot to contribute and has got a lot of ideas and proposals for how data should work, which are quite influential globally. And we think we want to see more discussions with these groups and debates. We have some colleagues here from Austria and from elsewhere, to also talk about what's happening. So I will let Amy Kato, and then we'll start with the speakers. Just to give a brief order. We are not going to keep totally regimented timetable. We will try to be flexible.
But idea is that roughly we are going to have one hour of presentations and discussion on the various data governance initiatives and policies that are taking place in the Asia Pacific region, which includes the cross‑border privacy rules, the IPF, the data partnership and similar. Then we will have a second block of roughly possibly an hour, although we may start getting shorter as we go along, looking at national context and what is happening in Japan, what's happening in Korea and other countries in the region.
And then the final block would be more like a collective discussion to try to organize some follow‑up intervention. We want to see not just a discussion here today but get an idea where the consumer rights organizations should intervene, trying to engage with policymakers in the ‑‑ on these topics. So I will let now just after a brief overview, I will let Amy kito, do you want to just introduce Consumer Japan?
>> AMY KATO: Hi, my name is Amy Kato from Consumer Japan.
>> PAULA MARTINS: Hello, my name is Paula Martins I'm policy advocacy lead at the Association for Progressive Communications APC. APC is a network organization, we have members in ‑‑ members and associates in 103 ‑‑ I'm sorry. I'm going to start again because I really got confused with the numbers. So bear with me. It's jet lag.
(Laughter).
So APC is a network organization and now I'm going to get the right ‑‑ the numbers right. So what we have are 103 members and associates in 74 countries.
Apologies for that, including some of which are here in the room today, and collaborating with these conversations. We have 24 members in Asia.
Most of these members are in the global majority countries, and they are very diverse members. We all work on the intersections between social, environment and gender justice and technology. So they are broadly speaking, digital rights groups, but they really are diverse in the terms ‑‑ in terms of the focus that they have in the work that they are doing at the national and the regional level.
Data is key to a number of them, in different ways. So you have gender organizations, you have environmental organizations, looking at digital issues, where data is a critical element of the advocacy and the policy, the capacity building that they are doing.
So this is central to the discussions that are taking place between our network, and we were really happy to join efforts with ‑‑ with Consumers International to put together this session. Our view or our idea is to create a space to share info and learn more information related to data governance in the region but to promote more synergy, including among us and the idea of bringing together our networks, our partners working on consumer rights and digital rights so we can explore concrete joint actions maybe following up to this discussion.
So thank you all for being here and joining us today. It is a pleasure to be here in Kyoto.
>> JAVIER RUIZ DIAZ: Thank you, Paula. Our first presentation is going to be Dr. Minako Morita‑Jaeger, who is with the University of Sussex and she will give us an overview of data governance from her research. Please, Minako.
>> MINAKO MORITA-JAEGER: My PowerPoint?
Oh, yes. Lovely.
(Off microphone comments).
>> MINAKO MORITA-JAEGER: Good afternoon, everybody. My name is Minako Morita. I'm based in the UK. I'm still adjusting to Japan two days ago and I'm still suffering jet lag. If I fall in sleep in the middle of my talk, give me a shove but very gently, please.
So I will just give you that wider picture of what is going on at the international level.
So I'm working at the University of Sussex. Also we have the think tank with a co‑established together with the Chatham House. We have the UK policy trade observatory where I'm doing the research policy, policy research for that, and then also that is Center for Inclusive Trade Policy, we are promoting trade policy for all stakeholders equally.
And because I'm trade policy expert, I would like to just explain that kind of the linkage between the data governance and trade as well.
First of all, I think you know very well, but what is data governance and the definition here is maximizing opportunities while protecting the rights. That's governance. And then according to World Bank. It's not for the United Nations. Not only good data management, but establishing norms and rules about rights, principles, and obligations around the use of data. Multistakeholder approach is a key for the data governance. This is why we are gathering here today.
So when we think about the data governance. So this a kind of welcome to the world of tech hegemony. There are three types of data gonance. First, it's the left side, the EU. This is a human‑centric approach of human rights. It's a fundamental right of the EU Constitution. And they just use ‑‑ it's more kind of the promoting, you know, more for protecting the human rights, and then also the fair competition and then platform content moderation. So that always takes hold as equal the benefit from the digital economy. And the opposite or the kind of ‑‑ sort of the contrast is the US‑type of approach. This is market driven approach.
So that that gives really minimum, almost zero cost intervention and market everything, and giving the kind of freedom to conduct business so free economy, digital economy and then getting the same kind of self‑regulatory framework regime. That is a base of the principle here, is free speech. It's not ‑‑ it's a little bit different type of approach, you know, in comparison to the EU. Free speech is key for the United States.
And then government is kind of taking sort of the ‑‑ the partnership, very close partnership with the Big Tech companies to promote these digital economic strategy.
Then lastly, China. China takes the state‑driven approach. The government seeks to achieve the technological dominance at the international level and then promoting data sovereignty. That means the ‑‑ well, the communist party, the Chinese communist party has strong surveillance of its citizens and sort of control people's freedom for the sake of the political agenda or propaganda.
So this is the three times and they are fighting each other, horizontally, and then also vertically for example, the world of tech hegemony, American companies in business in China, fighting with the Chinese government or just give up market ‑‑ Chinese's market coming back to the US or coming back or vice versa. And then Chinese companies in the US have to be ‑‑ to give up the US market, because of this enhancing very the increasing technological rivalry between China and the US.
Oops. Sorry.
So the one thing that's in addition to these three major type of data governance we see, in the Internet Governance level. I also select one more type of the group, which is Asia Pacific countries. That is, I will say, the Asia Pacific country is taking the trade‑centric approach, I will say. That means over the last several years, like Australia, Singapore, New Zealand, and also Japan and Korea, promoting the digital trade agreements or digital trade chapter inside free trade agreements, and then try to promote free data flow.
And with ‑‑ the difficulty here is because of trade agreement is something that promoting trade, it's a real priority. So the balance with the data privacy, fair competition, and intellectual property rights, that sets the second layer of the objective. And then ‑‑ so they are so far creating an FTA. It's a really focusing on the free data flow, and opening ‑‑ openness does matter.
So that does mean since we are talking about from this morning, Minister Kono‑San, the data DFFG, data free flow with trust, then that is really ‑‑ that's not compatible from the trade policy perspective. This is more from the data free flow per se. To trust. How to create trust under the trade fair market is now getting to the very difficult point. I think other speakers may just that you can more about the free trade agreements later. And ‑‑ but the thing I would like to say is, as I said, there's three types of data governance, at EU, US and China type. But this market‑driven approach is something that from 1990s, US government, that time is Clinton administration, promoting Internet freedom agenda.
And then that's really embedded in the trade agreement, like the one thing is a focus on PCVTV. The provision is drafted by Google, really. It's really the tech giant is ‑‑ what we would like to do is this way. It's really written in the CPTPPP, it becomes the base of the digital trade agreements these days.
So on the ‑‑ when we just look at the international, you know, perspective, there's trade agreements which is sort of given transparency, but on the other hand, the market driven approach, and when we look at the countries by countries, even having the countries among the countries which have very sort of deep digital trade provisions, they are taking completely different approach in terms of domestic data governance. For example when we look at the regulatory perspective, this is left side up, this is sort of government's legal regime around data uses and then reuses.
For example, CPTPPP, FTA, the reason the United Kingdom joined that CPTPPP, but comparing with other CPTPPP members, regulatory framework of theUK. The European governance has the high data governance, and so it's among the top of the CPTPPP countries when we look at the responsible. The UK is really 100% but other countries in the CPTPPPP is nothing like emerging countries like Chile, Malaysia, Peru, Mexico. It's really, they don't have the responsibility is ‑‑ they don't promote such data charter, responsible initiatives and so on. Then ‑‑ they don't have this kind of low regulation inside of the countries.
And then when we look at participatory, this is to what extent, why the variety of stakeholders participate in the policy making. Again, in the United Kingdom is 100, and Australia, New Zealand, somehow Canada is more transparent. Others the stakeholder cannot participate, and not at all participate in trade policy ‑‑ or not data governance.
And then finally, international level, this is a tool to see what extent the government joined efforts to establish shared governance rolls like convention, the human rights convention. Again, here in Singapore, which is really the lead promoter of the international trade agreement and digital chapter is ‑‑ they are lacking the kind of human rights protection perspective.
So what I would like to say, today the free data know is trust is something, it's very important, but still political level, and when we look at the domestic level, there's a battle between the three major giants. Implementing free data flow is very difficult, and especially the world which the trade agreement plays, it's very limited and also given the kind of the challenges, the way the free trade agreement is more ‑‑ but looking at human data protection is sort of the way to just ‑‑ the non‑stock ‑‑ we have to think about how we promote free data flow with trust, versus why the variety of stakeholders engagement. So interoperability is something that we really have to start or promote from the bottom up level. It's not a top down. The norms and then free data flow with trust is also the very different interpretation among countries. So I stop here.
>> JAVIER RUIZ DIAZ: So thank you. Thanks a lot Minako.
So thanks so much. So Minako has given us an Jo everyview around data governance and particularly she has described how connected they are to digital trade which is one of the really important frameworks to understand this space.
Now we are going to start going through some of the main data data governance and Jameel here, he will give us an overview of the CVPR. So I will change slides here, hopefully.
>> Jameel: I'm from will Philippines and I'm here representing the Foundation for Alternatives. It's a civil society organization working on the shared space between human rights and technologies.
So as Javier mentioned, my task at this point for this point is to provide an overview of the Asia Pacific economic forum's CPR system, or cross border privacy rules system which is one of those mechanisms currently in place, that is supposed to that is to regulate the flow of information, personnel data in particular. So we are ‑‑ we have been talking about the apex CPTPRR, it factors in on the data governance which is the flow of information.
So the CBPR is actually the ‑‑ as a mentioned earlier, was developed by the APEC. It was launched around 2011, and it is still in place, but I will be discussing in a bit its future, actually is quite in question, given this other system that has just been launched in the middle of last year.
So what is the APEC cross‑border privacy rules system? So in a nut shell, it a certification system, developed by the 21‑member APEC group. And the objective here is essentially to facilitate the free flow of information. So that's familiar phrase that we have been hearing so far during our short time here today.
To facilitate the free flow of information, at least among those economies participating in this particular system.
Free flow, while at the same time ensuring there is supposedly adequate data protection or data privacy measures. So how does the APEC CPBR system work? So if you are an organization that is based in any of these at least nine member economies, currently participating in this system, you can get yourself certified, rather, and by doing so, once you become certified, you are essentially able to ‑‑ this is the idea, you are essentially able to transfer personnel data to another certified organization in another APEC economy that's participate in the CBPR system.
So that's essentially the benefit that you get if you become certified.
Now, how do you become certified? It's essentially through an assessment. And this assessment has two components. The first one is basically self‑assessment. You are given a questionnaire as an organization, you are given a questionnaire by one of the so‑called accountability agents, and the objective of this questionnaire is to determine how much your data protection policies and practices measure up or are aligned with the so‑called program requirements. So these program requirements of the CBPR system, we can more or less look to them as the standards against which all certified organizations are assessed or are evaluated.
And then once you are done accomplishing this questionnaire, you turn it over to the accountability agent. And the accountability agent also performs an independent examination. It verifies how accurate your own self‑assessment was in terms of your ‑‑ your ability to meet the so‑called program requirements.
Then after this two‑part process, if the accountability agent is satisfied, it recommends that your organization be granted or be given such certification. So it recommends to the APEC body that group within the APEC to provide you with that certification. And then once that is done, your name, as an organization, and a few other details pertaining to your certification is displayed on the APEC website.
Now, just two other things to complete, I suppose that picture is who are these accountability agents? You apply to become an accountability agent with your government or whoever within ‑‑ within your country is responsible for your country's ‑‑ or your economy's participation in the CBPR system.
It is possible for a government agent to become an accountability agent. That's very much an option as well.
And then finally, how do you become ‑‑ as an economy, how do you become a participant to this system? You also apply to the APEC as privacy subgroup and they screen your application. I don't think it's that complicated. We don't have enough time to go over the specific requirements but sue suffice to say, it has its four requirements as a country, as an economy, if you want to participate, you comply with those four requirements. And that essentially jump starts the process of you joining this particular system.
So next.
Okay. So given that this is how the CBPR system works, what have parties so far seen as the so‑called benefits of participating from this system? For proponents certainly, they say that by taking part in the system, as an organization, you are able to present some tangible proof that you are at least committed to upholding data protection or data privacy within your organization, and specifically when you carry out data transfers across borders.
It helps also as far as governments are concerned. This supposedly benefits them as well, because it more or less identifies which are ‑‑ those organizations that have ‑‑ that are more likely to comply with their own data protection laws, any particular country participating in the system. It sets a common set of standards, while GDPR stands out among the growing data protection laws around the world, there is that clamor already to have one set of standards, so as to make compliance, especially among businesses and more organizations easier.
So by having the CBPR systems in place, so‑called data requirements, there's a common set of standards. Of course, whether those standard are effective or insufficient, that's a different conversation all together.
Then finally, proponents also say that this system, this mechanism is good, because it does not disrupt local regulatory environments, and by that, we mean if you have a ‑‑ for example, if you use Japan as an example, Japan is its own data protection law, by participating in the CBPR system, it does not in any way change the regulatory requirements of the domestic data protection law, if you are required to perform ‑‑ or to observe specific regulatory obligations, none of those change. You are still required to comply with all of those things, even if you are a Japanese organization that is certified under this particular system.
Now, with those as benefits, critics and other observers also have noted a lot of issues or problems with this particular system. One is it's ‑‑ it does not actually provide adequate data protection. The CBPR system has the APEC privacy framework as its main guidance document, if you will. And the APEC privacy framework is essentially rooted in the OEDC fair information principles, which dates back to 1980, if I'm not mistaken. And as pointed out by a lot of critics, while the OECD principles have actually been updated, I think it was in 2013, the APEC privacy framework has not. It's remained stagnant since it was developed around 2003 or 2004. So there's that.
And then, you have this ‑‑ by even among the APEC members. So APEC has 2 is members and only nine currently are participating in the CBPR. It actually has a partner system which is the privacy recognition for processors system, and in that ‑‑ in that one focuses on data processors and that one only has two participants. I think that would be the US and Singapore.
So I guess that ‑‑ that's ‑‑ that also shows or is indicative of how effective this system is, if even among APEC members, not even half see it fit to participate in this mechanism. So what signal does it provide to others? It lacks domestic laws. I think many people would consider GDPR as the gold standards as far as data protection laws are concerned. We see all of these data protection laws popping up all over the world, and the influence of the GDPR is very much evident.
Because of the nature of the CBPR, of APEC CBPR this is not supposedly changed any of the existing data protection laws and does not compel any government participating in the system to change their existing data protection laws. So it has very limited positive impact as well.
There is that underrepresentation of civil society. So while this is mainly backed by the government, it requires significant participation by the private sector, especially when we consider that accountability agents are mostly part of the private sector themselves, and civil society is mostly left out of the conversation.
So if we are talking about the three types of data governance mentioned earlier, one would think that civil society would be the ones to push more for a human rights, centric‑type of governance, but because they are left out of the conversation for the most part, we have ‑‑ we see the second type of governance more evident here, which is the market‑driven one.
As far as the legality and enforcement of legal challenges, the issue here also can be traced to the APEC itself, because the APEC unlike other regional organizations, it has no charter it has no constitution to speak of. It's not a TRIP so it's mostly consensus based. And so there are no existing mechanisms that would really ‑‑ strong mechanisms that would have the governments abide by the governance of these systems and more so those organizations actually certified under this system.
And then there is the issue of the question of fragment. This is quite ironic. Proponents of the CBPR system, because it creates a set of standards it helps solve or at least helps to avoid fragmentation by developing the common set of standards but if you look at the CBPR itself, because it's focused only in data controllers and you would require another system, the PRPI that I mentioned earlier to deal with data processors. So it's also inherently fragmented, unlike other systems or mechanisms in place. That takes into control, all the different permentations and then finally, there is the issue of cost. It's not actually cheap to get yourself certified and it's not ‑‑ and it was not very easy for us to look for actual figures to determine how much it costs, but there's this at least one accountability agent based in the US that provides a rough estimate. So they say that it takes an organization over there between 15,000 to $40,000 to get itself certified.
In Singapore, they only provide the $400 amount to ‑‑ I think it was an assessment fee or application fee itself. There was no figure that we were able to secure to provide again a general estimate of how much it costs to get yourself certified, for instance, if you were in Singapore.
And before I end, I would allocate just this one slide about the global cross‑border privacy rules forum. So why is this relevant when we are talking about the APEC CBPR? Well, as I mentioned earlier, this was established just last year in 2022. And it is important because it is essentially a replica of the APEC CBPR system, and its partner system, the PRP systems.
Very much a replica in the sense that the same countries who are now participating in the APEC CBPR are actually the same countries also behind the establishment of the Global Privacy Rules Forum with the exception of Mexico. And then all of its elements at least so far because they are still in the process of developing it with additional details. So far what we have seen is that all the different mechanisms, the elements of APEC CBPR have also been transplanted to the global forum, even the accountability agents recognized under the CBPR, they will be recognized also under the global CBPR forum.
There are some smaller changes or differences in the forum they recognize two types of participants. We have members and then you have associates. Associates are essentially economies or countries that are looking to become members, but are not yet immediately ready to do so and the example we have right now is the UK who have not just signified, I think but if they are not mistaken, already an associate of global CBPR forum.
And what else? Yeah. So that's essentially why this is critical, because ‑‑ or at least very important part of the conversation, because if the global CBPR forum actually progresses, the question of sustaining still the APEC CBPR becomes very valid, why still maintaining the APEC CBPR when you already have this system, a new system, which is broader in scope in operation.
But for the moment, at least, these same countries behind the APEC CBPR make it very clear that these two systems are independently operated. So supposedly, they do not affect how the other operates, but, yeah, we'll have to look at this particular situation in the future, depending how much things progress as far as the global CBPR global privacy rules forum operates. If you are interested in more information about the APEC CBPR and to some extend the Global Privacy Rules Forum, we already have the report available on that URL that you can see on the screen.
And you can download it, yeah, later.
Yeah.
>> JAVIER RUIZ DIAZ: Thank you. So, we will share the with all of you. I mean, we will put those URLs in the Zoom and we will share them with you if you are ‑‑ at the end of the meeting if you want, you know, we will give you all the URLs.
So this was a look at the CBPR, which is one of the systems that is trying to become a global standard for data. Now we are going to hear another presentation for another system that is not the same. It is not ‑‑ but it's also being introduced as an example for what could be an approach to global data governance, which is the data Economic Partnership Agreements, the DEPA model. So we will have a presentation coming Jo unline from Pablo, who is going to speak from Chile, and I think he will be joining in directly. So I'm just going to switch off this mic.
>> PABLO TRIGO KRAMCSAK: Can you hear me? Javier?
>> JAVIER RUIZ DIAZ: Yes, we can hear you?
>> PABLO: Can you hear me? Yes? Javier, can you hear me?
>> JAVIER RUIZ DIAZ: Yes.
>> PABLO: Okay. Great thank you.
Thank you very much. Well, my name is Pablo Trigo Kramcsak, I'm at the University of Chile, and I will present some of the elements and many of the findings of a report that we are ‑‑ we have prepared on the cross‑border personal data flows and this study was developed thanked to the the Board of Digital Trade alliance.
Well, first, some context, in the modern data‑centric, the collection processing and the sharing of personal data pairs a central role, and the foundation of international local grade and it's not yet possible to achieve an international consensus to comprehensively tackle this diverse aspect of the digital trade. As a result, it's become more common to find the trade provisions incorporated into new FTAs, resulting in what is often described as spaghetti bowl on regulation into digital trade sphere.
Privacy and data protection concerns have gained increased prominence in their positions but the intricacies of the data governance make the landscape quite complex.
What complicates that is the three major globals, the United States, European Union and China adopt a distinct approach to the data governance. It was mentioned before, but at it was very clear. The US takes a sectoral approach, allowing the businesses to set rules and several regulate privacy. The European Union safeguards data through comprehensive domestic regulations, and the approach offers ‑‑ this approach offers a robust personal data protection and is not up for negotiation.
On the other hand, China has implemented its strict regulations for personal data protections aiming to boost its data‑driven economy and internal security.
Well, the Asia Pacific countries have some of the most advanced, such as the US‑Japan digital trade economy, and the Singapore‑Australia digital economic agreement, SADEA and the Digital Economy Partnership Agreement, the DEPA.
But it contains an eCommerce chapter that affects the rate by the electronic means. Including provisions on personal information protection and cross border transfer of information by economic means among other issues.
Well, DEPA was signed in ‑‑ in 2020, among Chile and New Zealand and Singapore. And it's one of the fierce commerce and the parties constantly refer to the ‑‑ to their intentions to maintain adequate framework for the progressive available, and safe implementation of emerging technologies, including the governance of certain activities that underpin these technologies, such as cross‑border data transfers.
Nevertheless, many DEPA provisions are nonbinding and create roadmaps for future collaboration. In this sense, DEPA has been especially considered to influence a country with multilateral trade negotiations on digital trade by means of the flexible language and modular structure.
It's to be noted also that DEPA has a mobile for possible DPO e‑commerce, and the efforts within the APEC forum and other international voice.
What are the questions? The main question that this report are trying to solve, or address? That in this scenario, the question arises whether DEPA, one of the pioneering comprehensive international agreements on digital trade will be considered a Pathfinder for cross border data flows. DEPA is frequently considered and especially in terms of the adaptable design and mobile approach and in this, you can determine the extent of their commitment without being bound to fully embrace the sincerity of this agreement, of this ‑‑ of its provisions.
Well, the key elements that we keep in mind when developing this report is the studies is this research, it's that ‑‑ it's the propose of these studies to analyze how did DEPA, shape and guide future international governance rules on cross border data flows and to determine whether ‑‑ whether DEPA provisions constrained governments from a. Doing their own standards from personal strategies and the DEPA provisions.
When we take into rules considering the data governance, it's is aligned with the CPTPP and it's the base base of the CPTPP, even though the United States is not a participant in the CPTPP, well, the provisions of ‑‑ the provisions draw heavily from the CPTPP, where the US played a significant role in shaping the decisions. This similarity might be attributed to the ‑‑ to the brief negotiation for DEPA. It took just some months, in inevitably drawing on existing agreements. For future acquisition process this to look at the language in other agreements specifically the CPTPP is problematic. Countries that are not signatories to CPTPP may have hesitancy to adopting this, to affect the policy for certain countries seeking to join DEPA. It should be mentioned that DEPA in Article 4.3 affirm the parties previous level of commitment contained in other agreements. This is crucial and very important.
And the other effects this will imply a reference to commitments made by the three regional signatories to DEPA, in the CPTPP to which they are also party.
Regarding our main findings, and just research, we can see that the deepA. rules governing the cross‑border flows, takes into consideration the is CPTPP of cross‑border. And we look at what can set the commitments regarding the cross‑border transfers especially when there may exist inconsistent or contrite provisions. And this factor could cause a problem. It's being more detailed than the CPTPP text, they failed to set a minimum of standards and furthermore, DEPA, promotes the moderate recognition of voluntary self‑regulatory approaches which would be considered in some way equivalent to the implementation of comprehensive or sectoral privacy or data protection rules and this in some way affect the ability to impact the added value of DEPA in terms of protecting customer rights and user rights in digital environments.
It's difficult to claim that DEPA is considered a trailblazer for future cross‑border data flow negotiations, but for the issues that serve our attention. Because of the model approach and uncomprising way, you can see that this can generate interest in Europe, and the United Kingdom expressed some interest in the optics.
The second is even if commitments are not made regarding the data clause, this does not mean that DEPA declarations cannot have any legal relevance. On the contrary, different legal effects could derive from these especially as more countries join the agreement.
In this context, it's important to consider that this treaty is inserted in broader context, intertwined with other trade agreements in which the DEPA parties are engaged and a statement made in the DEPA to be considered in international dispute, for example, even when the dispute does not emanate directly from DEPA's specific provisions and moreover, it plays a significant role in resolve the dispute arising from riches of other commitments made within DEPA that are not excluded from the dispute settlement model, when the crux of the model pertains not to correct interpretation or application, for example, Article 4.3.
It's worth noting that while dispute settlement should not stand to Article 4.3, the cross‑border transfer of information, it is, indeed applicable to Article 4.2, protection of personal information, which for example, states in paragraph ‑‑ paragraph 10 that ‑‑ let me check. Let me check. That support this is to mutually recognize the other parties' data protection trust marks to foster the information while protecting protecting information. It is a connection, to consider the previous of APEC, and it has trust mark with the self‑certification schemes model.
Recording the cross‑border flow, DEPA does not forge a new path but rather follows the trajectory set by the US. This circumstance that has an impact on the data value offered by DEPA, by this digital trade agreement and if we considered that DEPA has been especially considered and signed as a Pathfinder to influence and contribute to multilateral trade negotiations and digital trade, it's not difficult to imagine that broader ‑‑ a product accession or replication of these terms and provisions could help in producing the fact of moderation under the US data governance model.
Thank you very much for your attention. Well, if you want to see, to check the full report, you can find it in the dtalliance website. You will copy in the chat section of Zoom, to complete the link to this report and if you have any questions, please you can see my email address, and ‑‑ well, I'm open to any kind of question or comments. Thank you very much.
>> JAVIER RUIZ DIAZ: Thank you, Pablo for such a comprehensive overview. We have first looked at a system of certification, a system where countries agree that companies can get private certification and that certification can be used to send data across borders. That's one of the models that we have. The next model we have is a modular trade agreement, but it's not really a trade agreement. It's like a collection of individual commitments where countries can pick and mix, and make their own combination, but as we have seen from the research, there are some questions as to how that modular approach works in the sense that some of those partial commitments apparently could involve buying wholesale the previous regulatory regime. So the founding members of the DEPA, which bring us back to the fact that those are in CPTPP and the Trans‑Pacific Partnership agreement and so they may not actually be that new, and so that is the discussion.
Next, we will look at the third model, we will look that is coming from this region, is something that's quite different, it's the ‑‑ in the Pacific framework for prosperity, which is a new kind of agreement that is not just a new type of trade agreement. It's not even technically a trade agreement, and we are going to hear a presentation online from Nan from Engaged Media who is very active. Nan, could we check do you have access to the Zoom?
>> Yes, do you see my slide?
>> JAVIER RUIZ DIAZ: Yes, we can see the slide and hear you loud.
>> Nan: Thank you. I'm a digital rights project at engageMedia we advocate follow digital rights in south and Southeast Asia. So today, I would like to talk a little bit about the Ipath. So thank you for the introduction. engage Media is also part of the digital alliance.
So when it comes to IPEF, or Indo Pacific economic framework for prosperity, this not so much trade agreement involves 14 countries, mainly US, India, some countries including Japan and East Asia as well and a lot of countries in Southeast Asia.
What's very interesting about this treaty is the US government controls all chapters and controls the text of the IPEF. It began a few years back and it's expected to conclude by November 2023. Unlike other FTA, the IPEF will not offer market access and GSP privileges. The text ‑‑ there are four pillars to this free trade. It's exclusive and second rootive it includes enforcement mechanism. Although the US will have the ability to conduct inquiries against any violations. Review of the comment processes in Australia and the US of Big Tech companies have raised a lot of issues by Big Tech companies. The issues that were raised are limit measures that restrict cross‑border data flows and secondly, prevent disclosure of source code and algorithms. And third remove any requirements for establishment of local offices and local representatives. The US, Mexico, Canada FTA or hereby in the US MCA explicitly cited it as a base line for commitments in the IPEF.
Now in IPEF, the corporate interest dominance. 40% represent business interest, and 69% of those advisors represent large corporations and their trade associations. And as you can see, extensive lobbying by Big Tech companies are involved in the provisions in the IPEF are very Big Tech friendly. US trade representatives have solicited advice of Big Tech. We have evidence on that ‑‑ on the digital trade provisions.
And to comparable proposals in the digital trade, within the trade pillar resemble those found in the USMCA there. Could be significance on the digital rights on the transferability and accountability and technology is used in a way that respects digital rights.
Some of the issues I would like to focus on is first, if IPEF leveraged the model of the USMCA, it will have enforceable cross‑data flows requirements, generic measures such as that of Thailand's personal data protection act, a local law will almost certainly fall foul with the USMCA style. Domestic measures and enhancing privacy and security of data, as well as measuring and providing regulatory access to data could be affected by these ‑‑ this IPEF provision.
Restrictions on cross‑border transfer could be used to protect the privacy, of course, and ensuring access to enforcement mechanism, particularly the EU's GDPR and numerous jurisdiction, the implementation‑specific measures to presenting to health, telecom and mapping or financial data.
It will also enhance administrative efficiency, and domestic law enforcement and promote economic and strategic purposes, meaning domestic capacity, taxation, et cetera.
So the implementations of this provision will make it difficult to introduce any domestic measures to restrict cross‑border data transfer. It will narrow the scope of exceptions necessity and proportionality requirements are very high bar in IP. EF and so the requirements for pretransfer consent could be very hard to be met and in the ultimate analysis, such provisions help data flow to countries where ‑‑ with poor data protection standards, for example, the US.
And while the debate surrounding restrictions on cross‑border data flow is ongoing, because while it facilitates states to carry out certain elements of regulatory work, data localization will also impose barriers on form on big firms in cloud computing and lower the efficiencies of their operations. So there are valid concerns and arguments on both sides.
Next issue that the IPEF will likely raise is the establishment of safeguard against forced source‑code disclosure as a condition to market access. Countries in Southeast Asia and South Asia as well are still developing regulatory responses to the use of algorithm. For example, Indonesia is ongoing with the AI ethics policy. One tool of regulation is ensuring greater transparency and accountability over how algorithms and software in general work.
With this provision, it will restrict various tools available to a state to promote competition and fairness in the company. Proventing such disclosure in the future may lead to algorithmic discrimination in areas like employment policies, ensuring policies or rankings, which will have an effect on the competitiveness of smaller businesses in the Global South.
Comparatively, it does not contain an analogous clause and the CPTPP prohibition on disclosure only applies to source code and not on algorithm. They may require modification but in IPEF it will and so this is a trajectory of a stricter deregulation of disclosure.
And I'm quite sure that everyone is aware of the anger of algorithm non‑disclosure. Of course, it will limit the ability for verification of a software works. Software based products and services function as they are meant to do, and limit the risk arising from the use of software, as well as limiting the black block issue with AI. And secrecy goes against the use of AI tools, robustness is a policy put forward.
They seek for predeployment of software in AI and the American data privacy and protection act which requires to conduct AI impact assessment, including design of algorithms.
In USMCA, the provision has certain exception but ultimately it implies that source code and algorithms contained in software products cannot be accessed by a regulator until an I inquiry has been issued in an identified malpractice and that's very ‑‑ it's a slippery slope. It's also worth noting that the R‑sub does not conThain, again, the analogous clause restricting the disclosure, while Article 14.17 of CPTPP applies only to, again, source code and not algorithm, and requiring changes to algorithm and source code that could be found to be biased and other wise harm individuals is ‑‑ is something that will likely happen should this provision be included in IPEF.
The non‑disclosure can hinder the trajectory of AI recognition at the regional level and also at national level.
And I would like to also point out, is me participating in the IPEF on negotiating rounds. So as I mentioned the negotiations are completely confidential, however, we do provide stakeholder listening sessions to which I was a part of in the fifth round of negotiations in Bangkok, and I have raised a multiple concerns regarding the violation of digital rights should IPEF take the ‑‑ the North American trade agreement model, and the codification of it, and I was ‑‑ I would just like to share that after I shared my intervention at the stakeholder listening session, a US trade representative from the embassy actually reached out, however, in that ‑‑ in that intervention, I specifically targeted the Thai trade representatives because it was quite clear to us that southeast Asian nations or signatories to this trade agreement is not gaining much but are losing more. And so I was targeting the Thai trade reps in particular on the digital rights issues.
And yeah. So wrap up the codification of US‑like, it will will limit the signatories for the consumer interest regulation over the digital ecosystem. The free flow of data crosses poses a limb ‑‑ the ability of countries to implement localization norms and the inclusion of such clauses would allow for the continuing full of data where it would be subject to relatively lower standard of data protection norms. The provisions restrict access to source code and algorithm and the ability of regulators and independent entities to scrutinize and conduct external assessment or audit on the software products prior to their deployment. This has many challenges as I mentioned before, in particular the gig economy.
Also, labor issues, and the limiting the ability to properly audit AI system is premature. So it could in the future limit attempts at ensuring safety and security and in fairness of AI tools which is something that I would like to highlight here. And closing remarks is the FTA provisions that seek to preenterrively limit on the ability of states and regulators to implement public interest or consumer interest regulation in this digital space is something that ‑‑ it's something that we need to push back and regulatory frameworks concerning the digital ecosystem are still in an amassing state in many southeastern countries and with technology being rapidly changing, putting these stipulations and provisions in the FTA will restrict the future trajectory of how the regulations are going to happen. These are not merely trade matters for sure but they are also digital rights matters and must be excluded from the IPEF and future trade agree.
And I would like to end with this report by the Digital Trade Alliance on understanding the IPEF, I will be sharing the link with you in the chat. And that's me. Thank you. So.
>> JAVIER RUIZ DIAZ: Thanks, Nan.
So we are going to finish now with the presentations. We want to give you some space for questions and opinions on this part of the session before we move into discussing the local context, but if you have any ‑‑ anyone ‑‑ any hands up?
No?
Everything ‑‑ okay.
So one thing that I would be ‑‑ I don't know if you can put my screen on there. So one thing we were going to ask if you want to ‑‑ we wanted to get a sense of where after listening to all of these things and some of the others that we ‑‑ if you ‑‑ we wanted to the good a sense of where do you think the priorities may lie and not all of you will have even an opinion or an idea, you know, that we just ‑‑ oh, we have a question.
(Off microphone comment).
>> JAVIER RUIZ DIAZ: Use the microphone for the people in the Zoom. If you can use the microphone there. That should go otherwise they won't be able to hear us. Mm‑hmm.
>> AUDIENCE MEMBER: Hello, my name is Rob Plumber from Electronic Frontier Finland, because what I heard that is it's quite terrible that there's already a massive trade agreement that is hindering on future implementation of algorithms and AI. That sounds real bad. Which were the countries in this agreement?
>> JAVIER RUIZ DIAZ: The IPEF, there are 14 countries. I don't have it off the top of my head.
>> AUDIENCE MEMBER: Indo China.
>> NAN: If I may, the IPEF it includes the Asia Pacific countries, Australia, beau nigh, Fiji, India, Indonesia, Japan, Korea, Malaysia, Philippines, Thailand.
>> MINAKO MORITA-JAEGER: I would like to say that IPEF is the US geopolitical strategy contest to China. Excluding China and then try to make, you know, the ‑‑ the pro market, you know, alliances in the economy.
>> JAVIER RUIZ DIAZ: I think the idea following the money, clearly there is a very strong sense of, you know, data as purely economic asset, you know, driving the economy, which we will discuss later with ‑‑ I think we have some colleagues here from Europe and we will discuss, like the different approaches to data. But I think, yeah, it is ‑‑ it's clearly both money but also as Minako stated, there's also a geopolitical sense. I think a lot of these agreements where you see it's not just the money, it's also, like, trying to create lines and affinities and, you know, like in the way that many policymakers like to call, it's like like‑minded countries. That's the terminology. People who think like that.
The UK, where I live, is one of those countries that is now part of CPTPP, and joining the Asia Pacific, you know, regime.
So if we don't have any more questions, I think that if we can keep in mind those frameworks and there is more because we don't want to, you know, discuss but there are also issues around what the proposals that the Japanese government put at the G7 for the data free flow with trust which we cannot fully explain. No one at the moment really knows what they are in detail, you know, or they are not qualified like this, but roughly, they would be a sense of all the things that we discussed, you know, how do you create interoperability of data regimes, how can you send data? Ideally with some safeguards but the devil is in the detail, as they say in English. Would is watching? Who is in charge of controlling and enforcing the safeguards? I think that is the context and I think as we have seen, the Asia Pacific region is a hot bed of initiatives that are being taken all around the world.
I mean, people in the UK and the US and Canada, they are looking at the DEPA, for example, as a model, for example, for the ‑‑ how the whole of the new future of trade can function because where things get stuck, let's make it modular. When you look at the certification, if it's very hard to get European Union decision, let's go for certification. So these models are really becoming global. They are going way beyond the region.
But now that we ‑‑ if we don't have any more questions, we are going to move into the next part of the discussion, which is to try to ‑‑ so we have mapped the kind of regional initiatives. Now what we want to do we will do like a little tour of the region, where we are going to get representatives from consumer and digital rights groups to give us a little conterm of what are the more pressing issues so we can see how these regulations will basically touch the reality on the ground in like some of the key countries.
We don't have the people from all the countries. So don't feel, you know, if you are from a country in the region and there's no one here, you know, it's not by design, but, of course feel free later on to speak and I think the idea is we want this to be participatory and get your input. The same thing for our colleagues online. If you want to raise any questions, please put it in the chat and then we will get someone to read it out for you here in the room.
So I'm going to ‑‑ we are going to start with Japan and I will give the floor to Amy Kato from Consumer Japan, and then Korea and Philippines and then we are going to ‑‑ okay. We are being asked about having a break. Yeah?
Okay. So let's do this. We are going to take a break because I think three hours, you know, is like ‑‑ I can see that no one is committed to the cause to sit for three hours. Should we take, ‑‑ being realistic, we will reconvene at quarter past. I will see you out there. So we will take a little break so you can grab some water and maybe go to the restrooms and then reconvene at quarter past. Thank you.
(Break). (No audio).
>> JAVIER RUIZ DIAZ: Now can you hear me? Yes.
So in the next part of the session, we are going to have a series of short ‑‑ stress short presentations. Many presentations, but short and dynamic. Trying to give an overview of what ‑‑ what's going on basically in like, some of the countries. So we will have some first from Japan and South Korea, and then we are going to have some ‑‑ also a couple more interventions around the Philippines and Europe and then also some colleagues are going to give an overview from Taiwan via Zoom after the second, but we will give you instructions.
So with without further ado, I will let our colleagues. Yes.
>> Thank you, Javier. My name is Qugimia from Consumers Japan. We heard presentations about different models of Internet Governance and now we would like to give you some information about the issues that Consumer organizations in Japan are currently focusing on.
Not only digital issues but other issues as well. Today, under the title consumer protection in digital society, I would like to talk about the current situation of consumer administration in Japan, and the concerns that we as consumer organizations have regarding the digital society.
I will be in charge of the first half of this presentation, and Ms. Kato will be in charge of the second half. So I will let you know in advance.
There are many consumer organizations in Japan, and among them, Consumers Japan, CJ is a federated organization that promotes collaboration and cooperation among consumer organizations. CJ deals with a wide range of topics, including digital rights, food safety, product safety, environment, clean energy, et cetera. CJ supports the promotion over consumer policy through workshops and advocacy activities. We also attended the consumer dialogue held for the first time in 2019 and made recommendations regarding consumer protection in the digital society.
Particularly, the importance of consumer redress and the need for new measures. The global committee within CJ promotes cooperation with CI and collaboration with overseas consumer organizations. Japan is entering a super aging society. The population aged 65 and over is 28.6%, the highest in the world.
As a result, many consumer harms occur among elderly consumers, which has become a social issue, especially in the digital field, it is necessary to increase digital literacy of older people. Additionally, the consumer affairs agency has only been in place for have years. So it does not have a long history like the EU or the US. For this reason, Japan's consumer policy is characterized by its implementation in a reactive manner in situations in the countries, especially in the digital field, there are delays in the application of domestic laws.
Furthermore, as I mentioned earlier, as a wave of super aging society is affecting consumer groups as well. The members of consumer organizations are aging, and at the same time, many had of the younger generations leaving households where both parents work making difficult to develop consumer movements as before. Consumers lack of knowledge in terms of technology and information in the digital field.
Deciding how to resolve issues in the digital field is a major challenge for consumer organizations as well.
>> AMY KATO: Thank you. I will continue the presentation. Okay. For us, the Internet and SmartPhones have now become essential tools in our lives. We use the Internet every day, just like we use electricity and water. In other words, we can no longer escape from Internet searches. However, it has become too late for us to realize that this phenomenon is an invasion of our privacy.
In Japan, the numbers ‑‑ the number of users of the social networking service called Line exceeds 95 million and the daily active user rate is 86%. In 2021, a big problem was found out. Our communication data and photos in this application were available for viewing in two other countries. We, the consumers were not informed of this.
We also see a lot of unfair marketing, a lot of self‑regulating came into effect on October 1st of this year. Stricter advertising will be required and criminal penalties will be imposed with the advertisements are malicious, however, a private survey shows only 10% of companies have completed interactive measures including all passports.
In order to strengthen monitoring, the consumer affairs agency had set up a reporting desk and is calling for information. Also, measures against techniques called Docatons are also insufficient. We see many fraudulent methods, including cases where subscription contracts are concluded without the consumer's consent and cases where cancellations is not ‑‑ cancellation is not possible, even after all efforts are made.
In addition to this, there are many other problems, virtual space laws are just beginning to be discussed. People with disabilities within data apps is serious. There's no borders in digital society. This makes it easy for unfair services and effective products to be supplied across borders, and our private data could be affected if there's no effective rule.
In light of this situation, we must carefully consider effective cross‑border consumer protection. First, we need to say that we do not accept any services that violate our privacy and security. In the unlikely event that we suffer damage, we must be able to request simple and easy remedies and disclosure. In addition, I believe some kind of legal regulation is necessary regarding terms of use that DNA Seve consumers.
We believe that consumers should actively participate in this series of deliberations, and should have the opportunity to express their opinions. We must pay close attention to the fact that there's no international redress system for cross‑border consumer issues. I'm always thinking about whether it would be possible to establish new international consumer protection law that multinational companies should follow or create a new redress system in ICPEN and or should we establish an organization in the United Nations that handles consumer protection independently.
I'm very pleased this opportunity to discuss consumer protection in the field with you today. I hope this presentation will contribute to the discussion. Thank you very much.
>> JAVIER RUIZ DIAZ: We are going to listen to the perspective of the Internet users and digital rights.
(Off microphone comment).
>> MASAYUKI HATTA: Good afternoon. Thank you very much for coming. My name is Masayuki Hatta. Let me introduce our organization. It's called MIAU, and today, try to talk about the lessons learned in the Internet activity in Japan. So this is a website of our organization. The address is MIAU.jp.
So our organization is established in 2007. Time flies. And this organization modeled after Electronic Frontier Foundation or ORG in the UK. So our main focus on the Internet freedom and the ‑‑ mainly freedom of speech expression or ‑‑ especially copyright issues, copyright regulation issues. So we are not really consumer organization, but our focus is with consumer organizations. We have worked with consumer organizations.
And so what we are doing is basically some meeting, we make comments to the government or sending our members to government committees, things like that.
So what we face was difficulties. One is general indifference. So in Japan and maybe in the ‑‑ in the other countries, for example, privacy issues, there's a strong sentiment of nothing to hide. So we are doing great, and we don't have nothing to hide. So some people will if some people want to hide something, they must be criminal or something. And also, I think there is a ‑‑ how can I say? A systemic bias or maybe underestimation bias. Many people don't really care about their privacy, but if there are many people's data, maybe people's data, increase exponentially. I think this is the basic basis of indifference of privacy.
Also in Japan, there's strong sentiments that avoidance of activism in general or politics or maybe we have really conformist culture:
Also, the second challenge is a lack of mobilization skills. For example, our organization is perpetually understaffed or underfunded. We depend on the considerations, but still we don't have no full‑time staff because I have my day job. I'm not really full‑time staff. And also, in generally speaking, in Japan, the activism, the Internet activism in Japan, not very organized. So it's pretty much individual efforts.
And also, I think we don't have good horizontal connection. I mean, the communication between the organizations or something, quite scarce. But there is ‑‑ there was notable exception. There was a strong anti‑DNS blocking movement in 2018. We could organize a coalition among ‑‑ a coalition among our government, activists, academics or ISP or private sectors. So sometimes we can organize some horizontal coalition, but not usually.
Also, I think Japanese activism have some kind of political bias. I say there's so much left‑wing leanings, which means, a strong sentiment of antigovernment or maybe lack of effective lobbying skills in Japanese activism sectors, and also, sometimes we suffer the lack of technical knowledge. This is quite troublesome because privacy or data governance issue is essentially technical issues. For example, privacy issues is heavily involved with encryption or platform architecture or something like that. But if we want to understand the issue, we have to understand technical issues.
And the skill set of Internet activists in Japan is not really enough. Sometimes it's not enough for understanding technical details in detail.
And also, I think it's ‑‑ I understand this is kind of controversial stuff, but you know, sometimes people say justice without force is powerless. So I think we sometimes need to demonstrate if we don't ‑‑ we have no choice. So maybe we need more hacktivists or more, you know, so‑called public interest technologists, which means the people who have ‑‑ who has background, both technological and political or economic ‑‑ economics background and fully understand technology and, you know, politics.
So we currently don't have this kind of people and so this is hour ‑‑ how can I say, our program. Thank you very much.
>> JAVIER RUIZ DIAZ: Thank you. So that was really good. I think quite a fairly broad overview of the situation in Japan from consumer organizations that are working on, like, very broad range of issues, you know, that as we say quite on the general level, to people who are the more, like, technical or digital rights end and even they are expressing there's a need for more knowledge, more connections and more people to get involved to be able to provide that vital connection between understanding the technology and being able to be effective advocates as we said before.
So now we are going to continue our tour of the region by moving to across, you know, a little hop as they say and we are going to let our colleagues from Korea give us an overview. Also a consumer organization, digital rights organization to give us a broad overview.
>> Hello, I'm Hukung Hall, and first I would like to thank the organizers, APC and Consumers International for organizing this event. In order to give this presentation, I spoke with colleagues at Korean Progressive Network and also colleagues from Consumer Korea to get a general overview.
So Consumers Korea is just like our colleagues from Japan. We come from our traditional consumer organizations. We were formed 40 years ago. It was mainly ladies, women, who are now grandmothers would formed the consumer movement. It started from like food safety. We work on a variety of issues, including product safety, and environmental issues, but digital rights and, for example, financial consumer protection, digital finance, these are the areas that we want to move into, but it's very difficult to move into due to the lack of expertise in these areas.
So who participates particularly in digital rights in Korea, I would, like, group them in three groups. One is Civil Rights or civil freedom organizations which is the Peoples Solidarity for Participatory Democracy and the digital rights or the data privacy focused issues, for example, Open Net and colleagues here and then we have the consumer organizations who dabble in this area, which includes Consumers Korea and Consumer Union. We work in each areas. We form coalition as and have campaigns together, where against the legislators work on a specific bill or hold seminars together to form opinions.
Specifically how does a civil society participate? We participate through various ways, government committees.
It could be a standing committee or ad hoc committee task forces. What we do ‑‑ we try to leverage more consumer friendly government agencies to work on these tech‑right issues. So we closely work with the Korean FTC, the consumer protection and we work with the Data Protection Authority too. So Consumers Korea has a seat. We've had a seat at the data protection commission of Korea.
So we're trying to put the consumer perspective that is built into the legislative and administrative process.
And then the ‑‑ we also do consumer research. Research projects based on government grants. We work on, for example, grants from Internet‑related public institutions. We worked on a protect, for example, comparing the terms and conditions the national and international Big Tech companies. To we made the English versions of Google and the others, and we read the terms and conditions and see how the different countries, the different companies regulate their things.
So what ‑‑ the main areas the consumer organizations currently work on, it's very ‑‑ it's a wide variety of issues. One, we work on the digital economy or the platform economy in general. For example, dealing with the national, international Big Tech companies is one. And another area is the data protection, privacy‑related initiatives. And the third is ‑‑ it's a budding area. It's very controversial, the developing artificial intelligence. AI laws in Korea. So we are also working a little bit in that area.
So the digital economy in general. The Korean government's view on digital economy is self‑regulation is the best option. That's what the current Korean administration is going for. So the previous administration was more interested in putting pieces of legislation for regulating the Big Tech platform economy, but that was abandoned after the change of administration. So right no, it's to maximize the benefits of users consumers through the development of technology and self‑regulation of those technologies.
So very recently, the Korean government announced a new digital order. So it announced the Digital Bill of Rights. It was announced around the time of the General Assembly. And Korea has a partnership with NYU regarding these digital elements.
One thing we have as consumer organizations, rights organizations, is that these digital rights ‑‑ it's called Digital Bill of Rights, but it is spearheaded by the Korean Ministry of Science and ICT, the MSICT, so basically it's the lead agency for ‑‑ for technology development, and industry development in the tech sector.
So it's not the Human Rights Commission, it's not the data protection. So it's ‑‑ what we're concerns is consumer organizations ‑‑ we're suspicious of what is this bill of rights. It actually has a lot of other ‑‑ not protecting human rights. It's not the focus of this so‑called bill of rights but actually it has a lot of other components, for example, advancements in digital and innovation is actually one of the biggest focus of this bill of rights.
And so we ‑‑ consumer organizations also work on how to regulate the platform economy, the platform Big Tech companies. So we have participated in industry consumer joint council meetings in this area since this May. And also, regarding the data protection privacy initiatives. So I will leave that to our colleagues from Open Net.
I will just share, like, a quick piece of developing AI legislation that consumer organizations were invited to the legislative discussions. So the current AI law that's been discussed in Korea is pro innovation, pro business, and it actually writes in the current text, it's innovation is the prime consideration, objective of this law. So the consumer organizations with the data rights organizations wrote an open letter against this bill, and we also had legislative discussions with the legislator. And so we stopped the bill. Of course, there's other things happening in the Korean legislature right now. So Congress is not really working very well, but these are the ways that consumer organizations are participating in this digital sector.
So I do think that consumer organizations bring a unique perspective, but I think I pass my time. I will give it to the colleagues and discuss later in the discussions.
Thank you.
>> Hello, my name is Sunguni, I'm a researcher at Open Net Korea. I will briefly introduce a case that a regulatory system was put to use on Big Tech platforms.
So Korea's personal protection commission ordered corrective measures and imposed penalty surcharges to Google and Meta in last year September. The surcharges were 69.29 billion to Google which is about $70 million. And $38.1 billion, which is like $30 million for violating personal information protection act, Article 39‑3 (1), which is now Article 15 (2) that prescribes that any information and communication service providers who intend to collect and use personal information of users shall notify the purpose of the collection and use of personal information, or particular of ‑‑ particulars of personal information to be collected or the period of retaining and using personal information.
Google and Meta did not obtain valid user consent for using SDK and pixels and utilized collected information for targeted advertising. Third‑party behavioral information is collected when users are browsing websites other than Google or Meta. Thus order users cannot expect or predict which behavior information is collected on which websites. Especially when a platform is verifying a user and collecting third‑party behavior information, sensitive information can be created and categorized and it enables the platforms to track all connected devices.
Two companies argue that they did notify the users, but Google did not explicitly notify its users about the third‑party behavior information collection when users joined their service. Google hid it under the "more options" menu in an opt out basis.
Meta's notification was very difficult to access. It was only vaguely prescribed in the preface of its data policy. And it did not notify the matters legally required and the commission found it a severe violation of the act.
Again, February of this year, the Commission imposed another penalty for violating Personal Information Protection Act, Article 38‑3 (3) to Meta because it provides that service provide shall reject the provision of service for not providing the information, that it's not minimally required.
Meta, basically made it impossible to join the service, unless the users check the ‑‑ the opt‑in for collection option. And Meta was, again, fined and imposed a stiffer penalty for not carrying out the previous corrective measure.
That is it. Thank you.
>> Hello, I'm Joon‑San from Open Net Korea, the organization that is fighting for the Internet freedom in South Korea. As a digital rights organization, we have been thinking about how to coordinate the Personal Information Protection Act with human rights. So I would like to point out that emphasizing the right to self‑determination of personal information and the strengthening personal information regulation without detailed consideration of freedom of expression can undermine freedom of expression being the right to know, and democracy in the context of Korea's situation.
We can say all expressions are processing of information, if an expression is about a person it inevitably involves the processing personal information. If all expressions in principle requires the permission of the data subject, this will severely curtail freedom of expression and information.
The purpose of the right to self‑determination of personal information and the personal information protection act is to protect individuals whose power is unbalanced with the government or the large portions from data surveillance by those people. However, the mechanistic application of personal protection information act, may discourage the powerless individuals from reporting on the social injustice, or public interest issue and consumer reporting campaigns may also fall into this category.
In relation to this, I will briefly explain the issue with Korea's personal protection information act, PIPIA. First, subject of PIPA, a person who operates the personal information files as part of its business. This should be interpreted strictly considering the original purpose of the PIPA but right to self‑determination of personal information has been overemphasized and is being interpreted very comprehensively, and broadly.
The commission states that any collection of information can be a personal information file, if it's systemic arrangement can be read, and business is interpreted comprehensively. Therefore, even individuals other than companies can be considered, personal information controller.
For example, it is believed that even if you have video recordings of the criminal activity, captured by a black box or CTV, you may consider a personal information controller, and have difficulty in sharing information vital to other safety.
And personal information controller needs to be interpreted narrowly, as a person who uses an easily searchable collection of information, from numerous data subjects, for business purposes, considering the original purpose of the law.
And only in the case of collection in the consent or of the data subject can be exempted if there is a justifiable interest of personal information controller.
In other words this exemption from concept provision, does not apply provision to a third party. So in the case of whistle blowing for public interest, exemption may not apply.
Contrast to GDPR, which does not separate collection use and provision to third parties, but uses a single concept over processing and exemption of public interest can be widely applied to public interest whistle blowing. As far as I know, the Japan has a similar as Korean. This is interpreted to apply only when media organization or media companies report, and does not apply when an individual reports to a media company.
The GDPR has an article, Member States trail by law or reconcile the right to protection law of personal data pursuant to this regulation with the rights to freedom of expression and information, including processing for journalistic purpose, and the purpose of academic, artistic or written expression. So reporting to the media can also be interpreted to ‑‑ interpreted as journalistic purposes and it's therefore more favorable to the reporting and the public interest.
Against the poor legal background, you want to have the president act tickets. The Korean presidential office has to write a ‑‑ diJuly edging information about the office's hiring practices and the Korean Justice Ministry threatened to file a complaint about the sources of the media articles covering the justice ministers conformation hearings all under Korea's data protection law. In this way, it should be noted that the GDPL allows the free hedom of information to third party without the consent of the data subject for public and residential interest and allows exceptions for information processing for journalistic purposes.
Personal information protection relation should be improved to ensure that the right of powerless individuals to protest and report public interest through freedom of expression or right to know are not diminished.
Thank you.
>> JAVIER RUIZ DIAZ: Thank you. So we have a good overview of some of the issues that are being debated, and including, like the potential clashes between, like, the misapplication of data protection to free. We were going to take a remote intervention from Taiwan. Can we get the Zoom or the ‑‑ are they?
Mm‑hmm.
Mm‑hmm. Yes. Okay. And then afterwards we will come back to the room.
Can you hear us?
>> Can we hear you?
>> JAVIER RUIZ DIAZ: Yes, yes, we can hear you well.
>> SINGING LI: Hi, everyone, I'm Singing Li from Open Culture Foundation. It's a local organization that is funded by open technology communities. Ba ised on this unique platform, we promote open technology, such as open source, open data and open government, and the digital rights and the Internet freedom in Taiwan.
With this community‑based ‑‑ with this community‑based OCF is also a hub in Taiwan that covers different fields and. Countries to make host fields and the transnational cooperation happen. Because we know that if we want a view of the will digital environment, and defeat digital threats, no one should be left behind, and OCF is also an APC member and international consumers thank you for having me in this event, because it's a pity that Taiwan cannot register in IGF but we are not a UN member.
So me, it's a good opportunity that I can be online and show you what's happening in Taiwan. I want to share the lessons learned from the Taiwan RDC research project. It's an evidence‑based digital rights advocates to the tech sector and I will talk what is the research project.
Before I talk about what is our research project, I would like to address some local challenges and opportunities for you. Taiwan has a post‑authoritarian context. The general public highly values free Tom of speech, private sector autonomy and the limiting governmental control over the internet.
I will give you an example. In 2022, our national communication commission wanted to roll out ‑‑ wanted to have a draft digital service interimmediateary act. Fortunately, it's already withdrawn because to one like this act.
In this act, it aims to authority ‑‑ government agencies to request information restriction warrants and flag misinformation online. As people know, China is at the front of misinformation. So government, it's like Europeans, their digital service act. The government want to have digital service intermediary act, the backlash to the council about imposing censorship and they think that the notice and the takedown liability could result in chilling effects.
Another thing is that if we regulate the messaging apps, it could violate privacy and the freedom of correspondence. So in this case, we totally withdraw our digital service intermediary act.
And the challenge is the Japan tradition that the previous speakers also talk about. Insufficient public awareness and understanding regarding tech companies' responsibilities in safeguarding digital rights, as well as the public awareness of the privacy issues. I can give you actually an example. The first one is that the service from the Taiwan Internet reports conducting by the Tower Association for Human rights, TAHR, from 2019 to 2022, 71.8% of people are worried about data leaks, while only 48% of people worry about company misuse of personal data.
And also, like, 43% of respondents falsely believe that website's privacy policy guarantees zero data sharing. So it's a situation in Taiwan that people are misunderstating regarding the tech company's responsibilities.
And another case is the ‑‑ also the ‑‑ like I say, the biggest communication act in Taiwan, LINE, they want to update their privacy policy to conform with the international standards GDPR, but unforeseen public resistance so their updated, and that's because ‑‑ not too much people understanding about the GDPR.
So that's the background that I want to give you to ‑‑ about the Taiwanese situation.
And then I wanted to talk about a report we conduct in Taiwan, it's called Digital Rights in Taiwan, it's conducted by the New American Foundation. And they conduct the scope, or the international version such as Maytag and Google and Vodafone and Orange telecom. And in that year, they want to conduct the Ranking Digital Rights in Asia. So they cooperate with Taiwan and Korea with the Open Net and also for cussed on the forum. So we are the partner to combat the digital rights in Taiwan and we cooperate this opportunity also with TAHR, the Tower Association for Human Rights together to conduct this report.
In our reports, we we had 20 high market share, local and regional digital service in Taiwan, despite the international telecom market like Google or meta. And we major in the four industries is the social medias and job banks, eCommerce and the telecom.
We conduct in the three domains, governance, the freedom of expression and privacy, but the indicator in the original Ranking Digital Rights, there are 85 indicators in the original Ranking Digital Rights, but we only choose 29 indicators I show above in my slides, because it's more for a local contents and it's also for Taiwan as we label the privacy concerns. So we put more effort, more views on the privacy and we want to know about our situations.
And it's a view about the national level trends. It's a compare from the TAHR digital surveys and the US market digital surveys. As you can see, that the Taiwan got lower score than the US digital service, and it is because that we are lack of digital rights regulations, such as, like, data governance and the personal data protection. So let these to the low compliance data in the amount of business.
In our report, we observe that the company usually just wanted to do a compliance to is the local law. So we observe that. If it's international cooperations such as they will have a lower score than a local company in Taiwan. Yeah so these international companies, they will follow the international laws, the international compliance. So they would get ‑‑ they will will treat good to our personal data and the digital rights.
Also in ‑‑ when we conduct our research, we also have some good strategy and outcomes. In total, with gather seven company response from our report. One from platform, and five eCommerce platform and also in the eCommerce platform two, had a meeting with us. So we can ‑‑ we have more ‑‑ with this evidence‑based report, we can have the opportunity to engage them and with this evidence‑based report and we can persuade them. We can negotiate them to improve their policy.
And also like in the telecom company, one company also have the meeting with us, and provide the feedback to us because they also want to have a good reputation in the report so they also provide us the feedback and try to gather good score in our report.
And another good thing is that ‑‑ a good outcome is that one company that modified their privacy policy to specify that they collect online behavioral data from the users. In the previous all the local company, they just follow us ‑‑ as I said, they just follow our local personal data laws. So, like, they they didn't show what kind of data they collect, but it did. It did. It changes. If we use this report, we can engage with the company and then they also change their policy.
So I want to have, like a lessons learned from we conducting this kind of report. First off is that the international standards and the initiative can attract attentions. With this report and, we talk to them that this is international ranking of digital rights, not only the local one, and they will pay attention.
And the other thing is attention for the leadership level yields best outcomes. As you know, leadership has more power to change everything, and, yes, it's also a lesson for us. And another thing is that creating peer pressure is a successful strategy. In our Ranking Digital Rights, we follow 20 companies to do the research for 20 companies, and in the form fields, and we found with the peer pressure, if they found that another company do a good job in that score, they will think about changing their policy and getting a better score.
Policy change requires horizontal cooperation across company departments. In the beginning, you just feel a policy make comes out of the legislature. And we feel that the CSR department will help us to push our department to change their policy. So it meets the horizontal cooperation and it needs you to find the key person, the key members in the organization ‑‑ in the company and to engage with them and maybe you can do your digital rights advocacy.
Yeah. I stop here and thanks for having he many.
>> JAVIER RUIZ DIAZ: Thank you. So now we have very little time. So we are going to give an opportunity to Thomas, who comes all the way from Europe to give us ‑‑ I mean we have been hearing what's going on in the region. Now we are going to put the developments in a wider context, and I think a lot of the references have been made to what's happening GDPR, the gold standard, what is happening in Europe. We will let Thomas explain a little bit what's happening in Europe and how things may be seen from that side.
And then ‑‑ come here.
>> THOMAS: Thank you so much. Thank you so much. I will try to make it brief give than we are a little bit behind schedule. My name is Thomas Loninger. I'm very happy to be here. It's my first time in Japan. It's not my first IGF. It was a good lesson to listen and learn from the previous conversations and I actually would like to ‑‑ before I talk about the GDPR and the data transfers focus on the many similarities that I have heard, particularly in the cooperation between digital rights and digital consumer protections. I'm the executive director of a digital rights organization and I'm on a board called European digital rights and very often we have exactly the same level of collaboration where for us, it is essential to align, to collaborate, on any issue that is digital with consumer protection organizations, because very often we look at the same problem from different angles. We also have different channels to exercise influence to make our case.
And whenever we are in broad or rough alignment, there's a very high chance that we can at least get the essentials of the ‑‑ the key policy through. And another thing that also wanted to reference a little bit as an activist myself, it always takes those moments when the issue that is formerly known as niche suddenly becomes very mainstream.
In Europe, there was certainly software patterns or the crypto wars in the '90s and it was ACTA and net neutrality and that's when you really come to the forefront and digital issues in general. I remember when I started my career, we had about one law in a legislative term that was truly digital.
These days in 2023, we have around 40 laws every year. And so the frequency with the digital legislation that comes out, particularly from Europe, is really overwhelming. And it's another thing that we share with our colleagues from the consumer protection world, because as small or medium‑sized NGOs are overwhelmed with the speed, particularly if you look closer and you see the governments are quite clever in hiding real intention of certain legislation and you need to look at laws combined, like this piece looks not really critical, but if you combine it with a second and a third law, suddenly you will see the ecosystem and you see the harm, you see the human rights impacted that otherwise would be hidden.
And maybe to talk about the GDPR, which is always the thing that the Europeans are portrayed for. It's important to stress the context in which the GDPR was adopted. In 2013, and what is known, released everything that we know today about the indiscriminant mass surveillance and that had a huge impact from Europe. The European Parliament itself and also high‑ranking commission officials were the target of this surveillance, and without that heightened awareness, we would probably never had a consensus for such strong safeguards.
And in 2013, '14, '15, when the GDPR was adopted, human rights was really the primary objective and ‑‑ and, like, the perspective that we have on the law. When people talk about these issues. We use terms like data governance and data spheres which is a way to protect those protections from GDPR, the European health data space would be one perspective, and the financial data space. Europe is taking away items from the gold standard. We see it in another issue that's the focus point of our work, digital public infrastructures. All the things that our governments did in the middle of the pandemic in order to cope with this emergency and digital identity, digital currencies like the digital Euro and all of these systems also need to adhere to policy.
We have the GDPR, and that establishes a standard. No, we have to always reevaluate tease standards and make them livable things in practice. What does it mean privacy by design when I have one wallet that I use for public transport and doing my taxes?
But, let's not just look at the GDPR itself. I wapped to give a little bit of a look back on the debate about data transfers. And here I am going to be quite Euro‑centric. And we have the I way that Europe transfers data from to the US. It did not even base the decision on the lack of a real federal privacy law in the US. It was the non‑discriminate of the T. SA, no procedural rights to fight back against this illegal form of surveillance. That was the essence that was violated and that's why the highest court in Europe, already two times annulled these treaties between the EU and the US.
Coming back to my trade policy is a welcome frame to have these discussions. We are now on the pathway for privacy issue 2.0 so a new treaty between the US and Europe. And that treaty was announced in a trip of American President Joe Biden to Brussels to meet with the head of the European Commission and that meeting had two points. One is, oh, we will do privacy 2.0? And the other one was, oh, there's this great deal for American LNG, liquid nitrogen gas, that is now being shipped to Europe.
Because at the time of the illegal war of aggression by the Russia on Ukraine. You could say that the rights of Europeans was traded away to have cheaper energy. That's not living up to the standard that I as a European citizen I would want our governments to be accountable to and not the ones that I as a member of civil society will hold them accountable to. But it shows in a way that we really have to focus on the human rights essence of data rights protection, of anything digital. It needs to be human centric and not centered on business interests, government interests and what is technically possible, feasible or interesting. We need to focus on the human impact. That's how we can guide good governance and good policy.
Thank you.
>> JAVIER RUIZ DIAZ: Thank you.
So we have 50 minutes left. So questions, comments from the floor?
Anyone?
Otherwise, the one thing that we definitely would like to talk about is how can we start coordinating. We do have some ideas of trying to organize and continue, we saw from our colleagues from Engage Media that were going to the IPEF, even if they were not able to access the room, they were still talking to the policymakers.
We have, you know, other spaces. We did a little online poll, which I will try to connect it back to the projector. It would look nicer. The majority of people who responded said the priority for civil society engagement and data governance, that was the bar code, the QR code we put before, and most people are saying that the cross‑border CBPR, and the WTO, the digital trade that we did not discuss and there's quite a big priority.
So in terms of ‑‑ something that I think is equally important is to find a way for civil society and consumer organizations to engage with the cross‑border privacy rules. There was a meeting in London a few months ago of the global CBPR, the forum. It was taking place as the minister for data protection was announcing, like massive reforms to the UK data protection framework to move away from ‑‑ from GDPR and they didn't mention in parliament ‑‑ it was a day when they had a full day Q&A on data protection reform. The ministers did not mention that the at the same time there was a global meeting of the GBPR and the UK was applying to be part of this other regime which would have been obviously a massive discussion in parliament.
Given that is the level of public discussion and participation that we have in the UK at the moment, you know, about the global C. BPR, also which is like basically nothing. I had to go to the website of the US trade department and find that they had an announcement that the UK and there was a meeting that the UK was applying. Obviously they jumped the gun on the UK PR. We found it out through the US.
So high impacts. One the things that would be interesting for us to discuss is how can we collaborate, you know, with civil society organizations to try to intervene, you know, trying to talk to the governments leading at the moments like the US is quite strong, but, I mean, there are many other countries involved. So I think that maybe even more useful to find advocates in smaller countries where you can have easy access and in theory they have a vote there as well. We can get access to the next round of negotiations. They do have a calender and just say that the global CBPR, it has gone from a first year where it was an idea and now there's a charter. They are actually setting up permanent Secretariat.
So I think that particularly focused on CBPR, that would be useful. We will be talking about it. We only have ten minutes here. So if we, you know, we are not going to put you on the spot. Oh, with he have someone who wants to speak.
>> AUDIENCE MEMBER: Hey there. Name is Rob Plumber from Electronic Frontier. I only heard about the DSST the first time today, and, you know, after this session, I'm starting to get really concerned that all of these international trade agreements are going to erode our human rights. I was wondering, like, you know, is there any kind of mechanism to, let's say, punish the US if they let us down with the trust again? They have already done it. And if we think 2.0, you know, what's the sort of repercussions for not respecting that trust agreement again? And, you know, how trustworthy can it really be if there's no mechanism to sort of slash them somehow.
>> JAVIER RUIZ DIAZ: I think that's a really great point, which is that ‑‑ I think the question is: How do we get mechanisms that actually have enforcement and that ‑‑ I think the US is a particular problem because of their refusal to ‑‑ to create comprehensive privacy laws, you know? It's dragging everyone else, you know, and it's dragging like the whole Pacific region and even as we discussed, you know, like Europe.
So I think that this is ‑‑ the sense that we get from colleagues in the US is that this is a very strong movement of civil society and consumer groups advocating for stronger privacy protections inside the US. I think that my view and this is ‑‑ I think that would be the discussion, you know, is that the best thing we can do is to really work with organizations in the US to try to get domestic reforms while showing from all around the world that actually they are the ones that will be in the minority and at the moment the US is trying to divide, to use really the Asia Pacific region to divide and say, look, Europeans care about privacy. This region is about business and the future and robots taking care of people and we don't need data protection from Europe.
I think at the moment what would be more interesting is to say, look, everyone around the world cares about consumer rights and if you don't jump, you will be the ones that are standing out. I think it's about moving the lines of consensus and putting them in the minority, which is precisely what we are doing here.
Do you want to speak in the microphones.
>> AUDIENCE MEMBER: Hi, everyone, I'm Bridget. I have been talking about trade for a while, like, I think last ten year years, you probably heard me talking about the digital trade rules in the IGFs and I'm the founder of the Digital Trade Alliance, I'm no longer with the alliance. I have notes here because I have been listening to all the discussion, and this is really great. Because this is what we try to do all of those years and it's really great to see all the familiar phrases works on trade, on digital trade now.
The IPEF, it's a big deal here. I think the US tax is ‑‑ it's not USMCA, it's USMCA minus which is really good and that's why the industry is not happy in the US and I think I can say that this is what I have been hearing in DC that they gave up on the IPEF, because they know that they are not going to get what they want.
But, there's another item on which we didn't talk today, the WTO and I want to ‑‑ I really, really want to bring the attention to ‑‑ your attention to the WTO, because they can't make a ‑‑ they can make progress in the WTO because of Europe. The U.S. and Europe, the privacy exception, because there's that rule on free flows, right, and then there's an exception. That's how the trade agreements work. And all these discussions we are having, the data flows with trust. It's nothing. It's like ‑‑ it's a distraction.
The main issue for us is the exception and the EU has an exception language, that came up a few years ago. It's in 2016 and it's in the FTAs. I know that Korea in the EUFTA and Japan FTA, it has a place holder and they want to introduce the exception now.
What is happening now, like they are there trying to change the European position because if they get Europe on board, they can sign that agreement in the WTO and it will be like ‑‑ it will be binding but also enforceable, you know, and that's the problem with the trade agreements. They are binding but they are also enforceable because if you don't comply with your trade obligations, you end up, like, you know ‑‑ you end up like getting like sanctions from the US and other trade partners.
So that's why this is very important that we pay attention to these rules, especially to the WTO, and to Europeans in the room, we really need you all on our side because Europe has been resisting. Europe has been keeping its position on privacy exception, but what I have been hearing is there's so much pushback coming from not only the industry, but also some of the member ‑‑ some of the European countries, you know, to revise the language.
So I just wanted to give you an update on what's going on so that IPEF is still a problem, but focus on IPEF, but don't ‑‑ don't think that nothing is happening in the WTO.
>> JAVIER RUIZ DIAZ: Thanks. I think that was just to clarify, I mean, the meeting today, we were looking at initiatives coming from the Asia Pacific region. There is the WTO. The WTO joined the digital trade or eCommerce is one, it's an attempt to try to consolidate some of the rules that you find in the Asia Pacific trade ‑‑ digital trade agreements around the free flow of data and minimal ‑‑ minimum levels of data protection, potentially to make in global to bring them to, of course, all the countries of the WTO or at least the complication. Not all but to make it like a newer standard.
That's something else. I think that we are really out of time. I think that we ‑‑ I keep ‑‑ someone came in with a sign and I think that we have people trying to ‑‑ who are trying to come into the next ‑‑ into the next session.
So we are going to ‑‑ we are going to probably stay ‑‑ we leave the room, but we are going to stand just outside if you want to come and talk to us about how you can collaborate or you want to find out more information, get URLs for the report, you know, we will be. Thank you so much for staying. It's a very long session. This was a lot of information to digest. But also, I will be very happy to follow‑up, send you with the materials or answer any questions. Thank you again for coming. Thank you.
(Applause)