You are here

IGF 2017 - Day 2 - Room XXV - WS 113 Emerging Challenges for Data Protection in Latin American Countries

 

The following are the outputs of the real-time captioning taken during the Twelfth Annual Meeting of the Internet Governance Forum (IGF) in Geneva, Switzerland, from 17 to 21 December 2017. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the event, but should not be treated as an authoritative record. 

***

 

>> LUIZ FERNANDO CASTRO:  Hi, good morning, everyone.  Just to say that we have two participants that are on line and asked us to wait five or ten minutes.  Thanks for your patience.

Hi, good morning, everyone.  Thanks for coming.  We'll start the session called "Emerging Challenge for the Data Protection In Latin American Countries."

The first is Danilo Doneda.  After, this the other speakers will present some specificities.  And cases from their country.  Please Danilo, you have ten minutes to expose your ideas.

>> DANILO DONEDA: Thank you very much, Mr. Fernando.

I want to make a brief overview of that potential legislation in Latin America, the situation and the developments.  I want to thank the organization, for CGI and for proposing this workshop to Jamila Venturini.

When we talk about data protection in IGF, we have nonlinear traditions, the legal traditions, the regulatory tradition of data protection and the governments experience procedures and traditions.

In fact, when we talk about data protection, I want for one minute to take a step behind.  We are talking about basically regulatory and legal framework, data protection in itself, yeah, its own expression is the protection of data, something that can be lead, on the trimming of regulation and legislation, and this may be taken into consideration that there's data that must be protected, and this data is personal data.  Why personal data shall be protected?  That's because data and personal data is fundamental to the development of personalities, to grant individual rights and for so many reasons in the Information Society.

But when we take for granted that data must be protected, we are talking basically from a regulatory point of view and it's not exactly what governments tries to do in particular.  That is we are talking about should different traditions that now are ‑‑ have to mix together, have to live together, and this process of mixing two traditions is not linear and it produces a number of uncertainties.  Let's take for instance that there are different traditions in data protection regulation.  For instance, you have one great forum that works on data protection, international, the international conference of data protection commissioners which is basically a conference made for ‑‑ by data protection authorities, academics, and enterprises and civil society which is not so directly linked to Internet Governance across the system.

There are two different traditions that have kind of a hard time mixing together and this reflects very much on the Latin American approach to data protection legislation.

How is data protection developing in Latin America?  Data protection has a tradition of almost 50 years of regulation, but in Latin America, it develops a bit later.  In the ‑‑ after the end of the dictatorship regimes in the end of last century in Latin America, several countries adopted laws called ABIS data in general, in order to force governments to produce data about individuals who are persecuted, who are victims of the military dictatorships.  ABIS data was the basis for several data protection improvements and the developments in Latin America, but that is not exactly data protection.  It's not merely a data protection model.  We will talk about data protection legal frameworks models.

We have nowadays, the European model.  We have very big North American influence.  Maybe not as a model, but as a vector, but the ABIS data has not evolved into a particular data protection model.  That's because data protection in Latin America is very tied to its legal tradition.  Latin American countries are based on European law systems, which is the traditional law approach, to almost every legal issue is reflected on Latin American legal framework on data protection.

And if we take, for instance, other countries in Latin American which adopted data protection regulation, first was Argentina in the year 2000, and then Chile, Colombia, Mexico, and you have now 11 countries in Latin America with data protection law.  Every law is based on something that can be tied to the European approach.  Why?

That's indifference of our European laws in our systems.  It's a new kind of colonialist.  I personally don't believe so.  As you have a certain law system, which is based, it's just rooted in European continental law system, we don't have other options to regulate, in the same way we almost regulate everything.  That is we base it on principles, base it on constitution.  We build a systemic approach on general law and we try to apply it to diverse circumstances, and we try to regulate a priority and not afterwards.  And that's the mainly the legal tradition that we have.  And we have to keep in mind mixing that tradition with other traditions can be hard and even dangerous thing to do, because magistrates, because legal operators in Latin American countries are trained on this law system.  They use it to think in legal issues, in the means with the principles of European law system and that's the language that they understand.  And mixing this language with other vectors can lead to legal uncertainty in some ways.

Well, how has data protection and legal framework developed in Latin America?  I mentioned that there are 11 countries with data protection legislation.  We have also a great deal of regional and individual influence on data protection frameworks.  For instance, every country in Latin America has read data protection according to its own experiences.  Chile, for instance is based so much of its experience on the financial sector and protection of data.  Brazil and consumer law, Mexico on the freedom of information law, Argentina under the ABIS tradition, but almost every Latin American country has based and has founded its data protection framework on constitutional provisions, that is there are values of protection of individuals, and its privacies, freedoms, liberty, which are the main guidance for data protection legislation in Latin America, and that's another point which links very deeply the roots of Latin America legal framework on data protection, to the European one.

In this particular framework, in every Latin American country has also produced special or particular ramifications of applications of data protection in every country.  Brazil, which is my country, which doesn't have as of now a data protection legislation enacted, has some problems of dealing with data protection in an overall point of view, but has regulated several instance of data protections based on this current law.

It has, for instance, the Depak administration in some law.  It regulates consumer data and it's now dealing with encryption in a trial, which is being held in the Supreme Court on what's up and its model of encryption.  And its using its current law, not particularly data protection, but you have other countries which are dealing with the issue in particular ways, for instance, Colombia, who recently adopted a regulation in its own way, recognizing that more than 75 countries, I believe, 74 other countries are considered adequate by their own standards which has been a great deal for discussion inside the country.

And to end my presentation, I believe the future of data protection in Latin America, will be strongly based on building this constitutional and legal tradition that our countries already have and we have to keep in mind that Latin America is now one of the main, if not the major frontier of data protection.  That is countries in Latin America are defining or redefining their legal framework.  Brazil is about to define its law in the following year, hopefully, but other countries ‑‑ Argentina, for instance, are redrawing their situations.

And it is very important, because several new issues, which are being linked to data protection are issues which are important to Internet in general, for instance, encryption, for example, accountability.  I believe that accountability is an issue which is very difficult to deal with, but from our legal frameworks I know of, data protection is the one most linked to the issues, the only one which has some intent of solving or giving parameters and concepts to solve this problem.

And well, finally, I believe also that data protection has much to gain for a generalist governance approach in some instances.  For instance, in Brazil, 5276, which is a bill on data protection which is being considered by national Congress institutes, sectors of council should deal with some data protection issues on policy and some decisions which are I believe, one ‑‑ one point that makes us remember that even if data protection is basically a regulatory issue, there's so much to gain from a general governance approach on this issue.

Thank you very much.

(Applause).

>> CAROLINA AGUERRE: Thank you very much, Danilo.  I was in the queue and this morning, unfortunately, I was not being able to pass as I was detained by the guards saying that someone from the UN staff should come.

Anyways, in the previous, I let people who are moderating in a panel at night.  My sincere apologies.  It is now my turn to introduce the first two round of speakers, who will be talking a little bit, I think very inspired by Danilo's very interesting, controversial, forward looking and also, I think there's so many issues that you have just raised in your keynote, Danilo for our next round of speakers to introduce the case of Brazil, and the current state‑of‑the‑art of how in this case, the Internet industry in Brazil, Marcel Leonardi framework Google will look at how this is evolving in the context of Brazil.

>> MARCEL LEONARDI: I'm glad to be here.  I work at Google Brazil.  I worked this for the past seven years dealing with legislation, and it's been under discussion for, what, seven years as well now, eight perhaps?

I guess even longer than that.  So we have seen our fair share of drafts and, of course as most of you will probably understand, it's obviously the GDPR is the major driving influence on these bills.  Obviously, give and when Danilo just said about the European tradition and the European legal system having this influence across Latin America in general.

So in the case of Brazil, we have seen a few interesting developments with two separate bills trying to talk to each other.  There's one bill in the Senate and one in the House.  And recently a new draft has surfaced from supposedly the executive branch.  And that's where we are drawing a little bit of concerns.  I mean, I won't go into the details of how it compares to the GDPR, because European framework is known to a lot of data protection and petitioners, specifically the idea that it's based on a consent model and things like that.  And this is where I would like to draw some attention to.

For example the latest draft we have seen surface basically says that the public sector can process any data they want with no need for constant whatsoever.  Which is kind of worrying when you consider that we see in particular cases the misuse of data, specifically for law enforcement or governmental purposes.  I will give you a couple of Google cases that we have faced that illustrate this point.

So, for example, what we have noticed is that there's a need ‑‑ there needs to be an ‑‑ a bigger introduction in Brazil to the whole culture of data protection and privacy respect so that we don't get the kind of court orders we are getting these days which is basically something along the lines of let's say a crime happened across the street and then a judge will say, okay, since this crime happened across the street, Google please tell me on a 500‑meter radius, all the enjoined account of all the phones turned on that particular day at that particular time.

This is not a hypothetical example, we got a court order for us to provide information on Android users because they were in the vicinity of a crime.  Basically what this means is there's no real ‑‑ there's a complete disregard for the basic due process causes and things when it comes to certain government uses, whereas the whole array of rules for the private sector is still being discussed.

So what we are trying to do is call for attention for this need for balance, and I think we will get there, but essentially, as these discussions follow along, it's important for the international community and the IGF in particular to weigh in on those kinds of things as well.

I mean, it's still open to contributions and there's no votes yet but just to give an idea of what we are seeing.

Other interesting cases that we have noticed on data protection are essentially discussions around the theoreticals.  There's a lot of fear going around exactly how legitimate interests will play out in the region, especially given that several countries in Latin America as Danilo has mentioned are revealing there are privacy legislation to treat the processing data on the basis of legitimate issue as well and not just consent.  There's a lot of concern of what exactly does that mean and Europeans, of course, have a lot to teach the region in the sense that they have got years of that under their belts and the experience of how that has been applied, Article 29 Working Party has issued guidelines on that and basically as we move on and on to beyond big data to AI, to machine learning, things like that, that will be one of the major ways of processing data.  So it's important that all countries in the region do adopt the flexible approach to that kind of processing, regardless of commercial interests or not.  I mean, basically these days what we can see with AI and machine learning are much more about providing better services and better things for users and consumers in general, rather than just the commercial purpose, for example.

Especially, for example, when you come to online advertising which is the way lots of companies are funded these days, AI doesn't play the same kind of role that it plays on several different applications and several improvements to products and services available online in general.

Finally going back to Brazil and more specifically about certain cases that we have noticed, we have also seen some confusion regarding the data protection and privacy of the individual itself.  So it's very common to see people kind of like mixing these things up in the sense that how exactly individuals should be protected by what they publish online and exactly what people are talking about themselves.  Like, the whole dignity image, honor thing which is kind of related but not exactly the same as what data protection laws are trying to achieve which is basically trying to accept the framework and guidelines for now exactly data can be processed and the hypothesis that can be used and things like that.

So we still have a long way to go and the bills are going under discussion.  I'm not as optimistic as Danilo.  I think that next year being an election year in Brazil, the bills will be in kind of like a stalled mode.  I think we are really going to see a vote in 2019.  That's the overview.  I'm happy to answer questions later on.

Thank you.

(Applause).

>> CAROLINA AGUERRE: Marcel, thank you very much.  I was thinking Romina to your right.  And now it will be Amelia.

>> While I'm going to give you a little background and detail some cases that we are facing in Peru, while the Peruvian constitution recognized that every citizen has a right to privacy and data protection.  And since 2011, we have the right to data protection has been recognized in data protection law, which grants individuals the rights of access, reconciliation, consolation and the protection of personal data.

The data protection authority of our country is the authority for protection of personal data, is an administrative office, not so independent within the Ministry of Justice and human rights who has been adjudicated in the cases in 2013.

But our case is quite particular, because even though we are quite new regulating data protection, our DPA has been working hard resolving some controversial cases, related most of all with the exercise of the right to consolation or while here in Europe, called the right to be forgotten.

Hopefully early this year the data protection law was updated to include among other things, the protection of data for persons.  And to balance it with the freedom of expression.

Before this update, it was not so obvious.  While that's the first case that I want to share with you.  Finishing 2014, the Peruvian DPA took notice of a complaint against Google.  This complaint was submitted by a Peruvian citizen, who requested some results in the search engine.

It shows some new reports, a blog post and related to the complainant because he was investigated for possessing child pornography, and he was a university teacher.

The prosecutor absolve him but these injuries didn't do that.  So the DPA condemned Google, arguing that possessing personal data.  The problem was that this was the beginning of an endless succession of claims filed before the DPA involving and complaining against not only traditional newspapers, but also to digital media.

For example, some of these claims were filed by judges of the Supreme Court, reclaiming for publications of their affidavits, or they were being investigated.

All of them were founded by the previously mentioned case.  Now the law was updated but the problem is still there, because we don't know how many direct claims were and have been filed before the media.

The second case that I want to detail is related to government and the use of personal data.  In most countries, the government excludes themselves from the scope of application of the protection of the data protection law, but what happens when they are possessing our data without safe word or something that we didn't give consent.

In May of this year, in ‑‑ during the international data against the trans phobia, the Peruvian government launched a survey related to LGBTI community.  The government encouraged this community to commit to its survey, without improving the public policy.  It was by the Peruvian and statistic authority in a very insecure web platform.  We found security that allowed any malicious user without good expertise to download every entry of the service which contained not only personal data but also really sensitive data as held or sexual orientation.

We informed this to the government and after sometime after review, we asked if they fix it.  And the problem there was not only the responsibility to conduct something so secure, but also the observance of several principles of data protection laws such as data mining and data protection.

While these two cases show us how our policy is still being developed.  How important is the ‑‑ to have a national approach when we are designing it and how the adequacy to foreign policy could impact in a bad way on our legal framework.

Thank you.

(Applause).

>> LUIZ FERNANDO CASTRO: Well, after listen, I would like to introduce Carolina of Argentina to talk about the Argentina state‑of‑the‑art.  As Danilo exposed, Argentina was first.

Any study about the Latin American situation, Argentina as the most evolved country in Latin America.  It's also a big importance when we see that this year, next year, Argentina will take the presidency of the G20.  That means that Argentina in a certain way has a leadership or plays the role for this subject in Latin America.  And I would like to ‑‑ to ask you to make a little presentation or say a word about the authority, your data authority, how it works and if people, common people know what they do, and how this kind of legislation is placed in normal people life.

>> CAROLINA AGUERRE: Thank you.  So as was pointed earlier, the case of Argentina is a beacon in the current scenario and so Argentina has this law that is being revisited.  There's this bill that's being discussed currently at Congress, which should have been sort of ‑‑ it was said to be approved before the end of the year, but that will not happen.

And there is this ‑‑ this new bill is proposing a reform in the data protection mechanisms in the country.  These new, let's say approaches to data protection in Argentina considered in this bill include a greater control of databases in the country.

What the data protection authority currently states is that there are 30,000 databases in the country and actually it has no ‑‑ it has ‑‑ it has strong difficulties in being able to monitor the correct implementation of best practices in terms of data protection.

There is, in this new bill, there's a need for companies to be more accountability and transparent when they are being ‑‑ when their data breaches or hijacks.  There's increased demands for organizations who have databases to ‑‑ for cybersecurity.

A very interesting point is much in line with the European tradition and I must say that for those of you who are not very much aware of what this new bill looks like, and what the ‑‑ the existing law in Argentina states, it's very much like the European law and the critics of this bill say that it's really copy/pasted from GDPR and I will get back to this point at the end of my shore presentation.

So there's a need for the development of data protection authorities.  There is the need for simultaneously national companies to adapt to this local legislation, and I think it was in September or August, there was a new idea of not just to create a national agency for data protection which is what is included in the current version of the bilk discussed, but also to create an agency that is for data protection and access to information.

So in this one independent agency, data protection now depends on the Ministry of Justice, the idea is to create an independent agency for data protection and access to information, which is interesting.

What do we see in terms of how the current mechanism for data protection in Argentina work.  And if the challenges facing such a bill if it would come to be approved and put into practice.  It's basically the problem of implementing such a bill in a country such as Argentina.  So there have been problems in the implementation and the enforcement of this bill in the past, and what ‑‑ what we see in a way is the challenges that are imposed for ‑‑ not for only the private sector but also for public sector and for the administration, the state administration to comply with this new regulations.

And in the center where I work, we have done research commanded by a national ‑‑ a provincial body which I won't state who it is.  I mean, they just ‑‑ because they are fearing how they have to react to this new legislation in case they ‑‑ it is passed.

And there are severe institutional problems even in the public administration of being able to comply with how this new regulation will take place, because even though Argentina has this very advanced law in the region, it's still, since the year 2000, it's not embedded in the cultural organizational and best practices management inside their own institutions.

So ‑‑ and this is, I think, a problem that we always face in Latin America in general, that we have very interesting laws on the paper and then we have this incredible problem of applying and implementing them in practice.

And so this is the current state of debate in Argentina in the general framework.

Thank you.

>> LUIZ FERNANDO CASTRO: Thank you, Carolina.

(Applause).

I thank you for your presentation and invite Amalia Toledo to make the point on this subject from her country, Colombia.

>> AMALIA TOLEDO: Good morning.  Thank you for being here early morning and for the invitation to be part of this panel.

First of all, I'm not an expert on data protection law.  I just wanted to present some relevant case, I think is ‑‑ it's nice to look at.  And some issues that it has that we see from Karisma in this case.  Colombia has a data protection law since 2015 and also recognizes the privacy right in the constitution.

But this case I wanted to share is about a woman who went to a lab to do a pregnancy test.  Her test was positive at the time, and a few days later, she got this call from this entity that was offering her some stem cell preservation services.

Well, the Colombian data protection authority got a complaint from her about this issue because I think she didn't even mention that she was pregnant to her husband yet, but she was getting a call from a company just to have stem cell preservation, but the Colombian authority got this complaint and finally punished the provider for unauthorized collection and use of sensitive data related to woman's pregnancy status in order to provide commercial services.

This case confirmed that we have already seen ‑‑ well, we have already seen in others, the profiling of people in the specific silos, especially those who generate high economic return, such as maternity.  Pregnant woman and in a great ‑‑ in a position of great nobility and consumption now.  We also have data protections law.

More than just that, the laboratory defense in this case, while it has ‑‑ not the laboratory provider, it has the expressed authorization of the woman when she signs a consent for the pregnancy test and this other lab.  This was disregarded by the DPA, the name of the woman with several notes in this database that says she was a prospect for this commercial service and her phone number to which she was contacted to offer this service.

She was profiled but she did not provide any consent for it.  For Karisma this case seems to us, that it's just the tip of the iceberg when we think of the government plan to digitize public services and sensitive citizen data.

And currently, the government is just working in this plan to create on this new regulation to create an electronic health and clinic record information exchange system between healthcare providers.

When we see several problems with this, but particularly, what we see is a tendency of the Colombian government to rely on nonpublic intermediary to articulate that data intensive system, in this case to deal with healthcare providers.  And the problem is that the government has not fully defines what are the attributes the faculties who will be the intermediary for this system, however, we see with concern that the government tendency is to delegate this role to private actors and to come up with regulation that sometimes resolve expressed consent in a superficial way.

We have another example on the master importation system that they are collecting a lot of that given some benefit for people that register and then when you look at the terms of services of this whole system, the ‑‑ it's a public/private alliance partnership, sorry.  But, you know, 89 articulator can easily sell all of this data for commercial uses.  It's a tendency seen in Colombia and that worries us.

In this case, the DPA acted properly.  It remains to be seen what is his role because we have not heard anything about the opinion and what the DPA thinks about this new exchange system, health and clinic collection system, but we have to see what will be his role, and what the ‑‑ what they think about it and what will be the subsequent oversight of the system, since we all can agree that the data that will be shared between healthcare providers can be managed by this articulated.  We don't know who it will be are really vulnerable and exposed to commercial and public abuses and undermining the private citizens.

That's all I wanted to share with you.

Thank you.

>> LUIZ FERNANDO CASTRO: You can do it.

>> CAROLINA AGUERRE: Thank you, Amalia.  Yes, I think this is a very ‑‑ a very ‑‑ the epitome of a highly sensitive case in terms of sensitive information, I mean, and there's a lot to be said about our region and how our health systems are working along these lines and European, with the healthcare records of European citizens, I think is an interesting example to see.

Romina Garrido is here with us from Chile and she will be presenting the Chilean case in this panel session.  Thank you, Romina.

>> ROMINA GARRIDO: Hi.  Yes?  Hi, everyone.  Sorry for the delay.  I feel very ashamed with the panel.

So ‑‑ but I never imagined the line outside.  So sorry.  I'm here.  I'm Romina Garrido, the executive director ‑‑ yeah?  I'm Romina Garrido, for Datos Protegidos, a civil society in Chile.

It was a concern about ten years ago.  We are waiting for the change over legislative framework.  Chile was the first country to have a data protection law in Latin America.  Our law is from 1990, but we ‑‑ if we think the situation about our country, those days, not even 2% of the people were connected to the Internet and now we have the most connected country in Latin America.  40% of the people is connected to the Internet, and our data protection law don't even speak about Internet of digital matters in the text.

So the law only regulate the database and the right to access consulate modification and to the processing of data, but the law don't create a DPA.  We don't have our data protection authorities.  So the people who have to exercise their right have to go to the tribunals or common courts.

So it's make that process very expensive to the people and the law even being applied in our country and it's ‑‑ we have a very lack, fulfillment of the law between companies and even the public bodies.

The civil procedure that allowed the people to exercise their right is ‑‑ what I say, it's expensive because you need an expert advisor or a lawyer.

So the law applied to the public are the private entity, but don't ‑‑ don't ‑‑ we don't have the authority and we don't have the system of register of databases in the private sector at least.

In the public sector, we have an obligation to reduce the databases, but no one fulfilled that obligation at least.  And we have wide exception to the concept.  A lax regulation about international data flow.  That's an issue nowadays.  Just one article who defines transfer of data.

And the use of personal data with marketing reports now is ‑‑ can be used without consent.  It's not registered to the public databases and in existence register for private database.

So Chile in 2010 gets to the OACD and in the evolution to getting into this group of rich countries, one of the concerns was the insufficient legal framework in data protection.  So our country as some ‑‑ the political commitment and the commitment with the improvement also, regarding to change your legal framework and ‑‑ or insufficient legal framework for the data protection, and that commitment is unfilled until now.

We have been three bills in the Congress, and the different Chilean governments through years have been presented different kind of draft with different models.

And the first one was in 2008, the second one in 2012 and 2017 was the last one of them with two bills, 1% by a senator and 1% by the executive power.

The difference between us, the first of the ‑‑ the first of the bills, the percent of the senate is a project who have a strong fulfillment of principles and improved the people's right but don't have the authority because the Senate don't have the power to create it, because this exclusive initiative of the executive power.

And the other bill creates the urgency of ‑‑ the data protection urgency.

The current legislative process ‑‑ these two bills were at the Congress this year, and they are discussing together in the committees.  So the current legislative process shows some progress.  Now the work in the committee has been long with the participation of many, many actors, like industry companies and puck lick sector also and NGOs like our NGOs.  The bill has raised so much interest and from different sector.

If you ‑‑ if you check the different session of the committee, there are 16 or 20 speakers, every time.  So it's a project who in general, a lot of between different actors.  But in Chile now, we have law, but we don't have clear rules about data protection, or about the way that data can be processed in Chile.  There's no clarity, even to the industry or companies.

And we wonder if it's just an issue related with our economy or it's a matter of rights finally.  And this is our central question for understanding our challenge, because the bill always being related with the economies, public bodies at the government.  To make to understand the value of data, like not just a commodity, if data ‑‑ because data is part of the personality and the dignity of the people.  And data law, we think that is the first step to do this.  It's one step that should have taken many, many years ago, but the tings that ‑‑ the things that don't apparently move so fast in Chile that we want to do it.

So the current bill at the Congress is the more advanced effort in all of these years, but we have some comments about this initiative ‑‑ we have to find a report that we prepare on our website, datosprotegidos.org, and you can find some comments with the DPA or with the data flow or with the self‑regulation matters.

And we thought ‑‑ we do a lot of criticism about the political fragility of the new urgency, regarding the resignation, the political independence and for more the authority or the power to supervise and regulate the public sector and their companies and this don't happen in the project.

And some mainstream regulation about self‑regulation also.  We think that that could be some sector of the economy that it's ‑‑ it could be self‑regulating with the review of the ‑‑ this regulation by the data protection authority.  And the protect ‑‑ the bill has some good things too.  They recognize some new right for the people, like portability and right to dispute the automatic decision and this is very important in the Internet era.

And the mandatory disclosure of data breach is also considered in the ‑‑ in the project.

As I said, we are missing the self‑regulation models and we have uncertain rules still now in the discussion about the definitions of ‑‑ regarding the regional application of the law.  This is an issue.  They decide or take a decision about the obligation of the law is a matter of enforcement of the law at the time of the Internet.

So this is our comment about the situation in Chile.

Thank you.

(Applause).

>> LUIZ FERNANDO CASTRO: We thank all colleagues that presented a point of view from their countries.  And before opening the board to the floor.  I would like to make a few comments and any of the speakers who feel comfortable to talk about it.

As we listen to all the expositions, we have the same impression that we believe into very, very similar continent or subcontinent.  The problems are very similar.  The law is a good intention, most of the times and ‑‑ but many times they are not practiced so well as they were supposed to do.

Sometimes we hear from companies interested in working with data that in our continent we leave in a very special situation.

We need huge investments for bringing connection to everyone, and people say that money is required for this.  And in a certain way, that could justify that companies can deal with personalization in this way and justify it in these countries.  In this sense, they say it's too hard to have all the European obligations in Brazil or any other country.  Do you have any view ‑‑ any of you, a special upon on this argument.  I invite you to make consideration.  Danilo, yes?

>> We always heard this kind of argument about companies who said how difficult it is to fulfill the legislative in Europe but they fulfill at the end of the day.  They do that for the European citizens but they don't apply the same standard in Latin America and the question would be the opposite, I think.

Why they don't do that, if they accomplish a higher standard in Europe.  Why they ‑‑ why they have to fulfill a ‑‑ accomplish a lower standard in Latin America?

>> LUIZ FERNANDO CASTRO: Danilo, please.

>> DANILO DONEDA: Just to quickly add that the think about Brazil, we don't have data protection.  As a matter of fact, we see several enterprises who are slowly becoming used to the idea that they have data protection, I believe next year, I'm not so optimistic.  I hope next year, but it can be in two or three years.

We will have data protection or not, and then what will happen to ‑‑ what will ‑‑ should those enterprises do, I believe that there are no prior experiences on data protection for several typically Brazilian enterprises.

There's a kind of fear that is similar to have a fine injection issue.  I fear the pain of injection but if we don't have injection, I won't live in the next ten years because that also protects enterprises from reputation problems.  It also leverages standards of data protection and makes several enterprise able to make contracts with other enterprises and other countries which demand higher standards of data protection.

There's also another interesting notion of data protection which is called co‑vergence, which there is a tendency to data protection legislation converge to certain standards and those standards must be clear and loud, so that they have personal data and they have to comply with that.  If everyone complies to that, we will have it above what could hurt the citizens.

So I don't believe that there is a real problem or it's ‑‑ the notion of free enterprise innovation is uncomfortable with several standards of data protection.

>> CAROLINA AGUERRE: Before opening the floor to the questions, I just wanted to add something, which is what is of great concern to me is that complying with higher standards of regulations without an adequate thinking about how will governments support their own public administration as I stated before and particularly national SMEs and the small companies that need to invest resources in complying.

For Google or Facebook, it's much easier to comply.  They will have their own difficulties, than it is for an ISP that has 500 customers and this is the case.  This is what we face.  I mean 500 customers and two full‑time staff.

So this is what I really find challenging in a region where I want to develop our national or our entrepreneurs or our businesses, and we need this legislation and the implementation to accompany the fact that we just don't want this to take into account the big Internet giants but particularly to help the smaller companies who are already outside the system.  So in Argentina, it has been calculated that 30% of the registered databases, there's another 70% who is in the black market to say it.  I mean, it's off.

This is what we need to bear into consideration.

So with this, I would like to open the floor for comments.  We've got 20 minutes.  I'm sorry, if you could please introduce yourself.

>> PARTICIPANT: Yes.  Sonia from Third World Network.  I found the presentations very interesting and I wondered when you were talking about the Argentine bill setting things about the databases whether you could explain whether it's proposing that the databases have to have a certain level of cybersecurity and if so what that is, and for others maybe from Hiperderecho where you think they should set certain levels.  For example, should online banks be required to have two factor authentication and so on to protect our data?

Thank you.

>> CAROLINA AGUERRE: Should we take another question from the floor and then answer two questions?

Yes.

>> PARTICIPANT: Hello, I'm Vaston Baker.  I would like to ask Amalia, about where her opinion about the constitutional recognition of data protection, if we have to ‑‑ as a region we have to move in that direction or in the fact that it's not necessary to recognize our constitutional level of data protection to, in fact, be more conscious and more like ‑‑ in fact, we have more protection environment in our legal situation.

I don't understand if you understand me.  Okay?

Thank you.

>> CAROLINA AGUERRE: So I will answer the lady's first question.  In the text, in the current bill, there is a provision for increased cybersecurity management, but there is no specificity, because the way the bill is framed, it's still like general, and then we have a second stage and then there will be a regulatory framework in how to implement it.  There's no technical specificities of how this increased cybersecurity management of databases will be considered.

>> MARTIN BORGIOLII: Yes, the government must implement security measures to protect their database.  It's really important nowadays because it's really cheap for an institution to have a database and to possess data to have the basic ‑‑ they think that they need to implement the security.

So this problem that we had in Peru early this year is really good example of how the government could be like ‑‑ or could have a good policy but with a bad implementation.  So it is ‑‑ it's really important for the designing of data protection law to ‑‑ to put and to empower these principles or principles of data security, for example, to avoid this kind of vulnerabilities.

>> AMALIA TOLEDO: I wish I was an expert on this.  I'm a human rights lawyer with a focus on freedom of expression, but mainly, I'm not a data protection expert.  But I believe that data protection is just part of a bigger umbrella that is privacy and privacy is already protected in many constitutionals ‑‑ constitutions around the world and in Latin America.

However, I know that in Colombia, having this data is part of ‑‑ it has constitutional protection.  So I guess it's a matter of cultural and social and law context in every country and I guess it would have his own development according to the country's context and background, I guess.

>> PARTICIPANT: My name is Mario.  I'm Brazilian.  I have wear two hats.  I have a question on what Carolina said, this idea of prevention innovation.  I think we have European experience for 20 years or 30 years having data protection and strict data protection laws.  I see in the EU, you have much more SMEs and working with technology that has no data protection being right?

I think it's much more a matter of culture, instead of just avoiding laws and the flow of information.  I think it's now consumers see or users call it ‑‑ call us, much more in favor of having a more regulated environment and having a kind of sensation of having their information protected and just having no law as in Brazil, which is not 100% true.  We have many laws governing data protection issues but we have no cultural, like, say, going to court to protect our data.  It's just avoiding laws to protect ‑‑ that's just my comment for that.

>> CAROLINA AGUERRE: Thank you, Mario.  There's another question here.

>> So my name is Giovanna, and I'm from Brazil.  I'm doing a master's on book PR in the south, about data protection.  So I wanted to follow what Professor Aguerre said.  Do you think it's more of a cultural matter?  First we have to educate people and find what is ‑‑ why it's important to protect the date, and after ‑‑ after we follow the legislative path about ask our politicians to make laws more effective or should be around the first laws and educate.  We have a view that just passed in a way that was after problems and now we have a lot of problems with data protection and my main question is what is the right or more adequate path, first educate or first make laws and pass bills that are ‑‑ that protect that of the main community?

>> MARCEL LEONARDI: I would like to give you an approach from the Internet.  We are the IGF, the Internet Governance Forum.  It's more than just Internet companies doing what they do with their data.  We are talking about diagnosing cancer by several comparison images and there's plenty of very interesting things going on, for instance with precision agriculture and completely unrelated to what we usually think of data protection.

To your point about education versus regulation first.  It's kind of like the chicken and the egg.  We are talking about the generation that would rather eat their food cold so they can Instagram whatever is happening at that particular moment.  So there ‑‑ sometimes people say they want something specific on data protection and privacy but they don't actually do what they say they want.  And so sometimes, it's a matter of where exactly should the state draw the line that this is the minimum amount of protection that people should have, even if they don't know any better or whether we should leave people to do their own choices and basically have a legal framework that respects all of that.  I guess it's a mix.  I guess we are perceiving.

Of course when you get the you're r European approach which is incredibly big fines and obviously there's not much sense talking about educating people.  Of course, companies ought to comply otherwise, they will be on the hook for a lot of money.  But from a citizen point of view, I guess, what really is there is basically the need for continual education.

For example, you brought up Brazil and there's something in that article, which is basically Article 26, which says that as part of the duties of the state of Brazil, schools ought to educate people for the adequate use of Internet in general and I think digital literacy will play a gigantic role in practice.  Laws can say a lot but if people don't care if they are being protected, as I said they keep eating their food cold and do way worse things online.  Luke, maybe many of you heard Vint Cerf talking about Internet driving license.  He said, he should be trained minimally to navigate not in terms to be identified, but to be aware of some risks and how it works and it seems very interesting because you can do many things in Internet but you take many risks and things are not done very clearly with transparency, and this is very important.  It's a pity we don't have our colleague from Mexico that couldn't come, but we had the presence of professor from Brazil, that they the protection authority data make for teaching people how to use Internet and to be aware of the risks is ‑‑ is answering Giovanna's question and adding a comment to Marcel's.

You have to do both things together.  Just the law is not enough.  A good way is to communicate and I got this example from the Mexican agency and it seems very interesting for me.  Every time they proposed new movies and new subjects on Internet to teach people how to use it.  Exactly as Vint Cerf said two days ago.

>> I will make a brief comment on this issue.  I'm not at all against digital literacy.  I believe that even it's necessary and it's proven to be better than ever.  When you talk about cultural approaches and biases regarding to protection of data technology, I believe we have to be extreme higher standards careful not to blame people on what is being done with their data, in the sense that, yes, it's important that people know the risks and now to opt in, opt out on different situations but do people really have choices or concrete choices to do when they are exposed to the possibility of being excluded from some network, from some market, from something that they really want.  So I believe that legislation and regulation plays I don't know a major role but a fundamental role on supplying people with real and concrete choices and then education will do its part and there's a question.

>> Thank you.  The questioner and the user doesn't want to be identified and he asks or she ask:  Do you see a new future where the region will have a common approach for data protection?

>> CAROLINA AGUERRE: I'm just jumping in because this is something I was going to propose to discuss as well.  I mean, a lot of what is discussed in the GDPR and Mario, you mentioned about the innovation and SME environment in Europe, we are talking about a region that is considered as a market, as a single market and is working very much in the lives of a digital single market.  So in Latin America, we have this challenge that we haven't been even able to make our own region work along the lines of Marcos Sude in the past.  We are trying to revamp these regional blocks, the trading blocks and we want to go forward with the idea of a digital signal market precisely because that might be the path forward in terms of working together, because with data protection, we didn't address the other issue of cross border data flows which is very sightly see on the implementation as Danilo was mentioning at the begin.  There are AI issues here.  There are encryption issues, but there's also the issue of cross border data flows which should be addressed as part of the debate.

I'm sorry, Martin.  Yes?

>> MARCEL LEONARDI: Yes.  A little addition is that we need these region approach on data protection and not only because we have our own reality and our own problems, but also because sometimes governments are conditioned by free trade agreements with European law, with European governments and from one day to another, we have the data protection law.  That was ‑‑ that ‑‑ that happened in Peru, and we didn't have a debate in the Congress.  It was ‑‑ the data protection law and the implementation of the data protection authority was a product of faculties delegated by the Congress to the executive power and from one day to another, we have everything.

And we ‑‑ we lost the opportunity to discuss our problems in the Congress, that could be very helpful for us.

>> DANILO DONEDA: Regarding the cross border question that Carolina raised, we are working on data protection Brazil right now was properly a demand from 2005, by that time Argentina has a general protection regulation, and Argentina was the only culture in the region.  And I believe that that should be main driving force for many countries in Latin America, to have adopted data protection legislation which is to pursue something with the European Union.  Brazil has a strong internal market, and they could not pursue ‑‑ at least in the sense of the countries must have ‑‑ there must be a real need.  I believe if it was strong now as it was in the year 2005, that would be a real discussion now.

In July, the data protection network approved the documents we call with standards from data protection legislation in Latin American countries is not very new, but is very interesting work of putting together several standards and principles and regulations which are common to most to not all Latin American countries which is maybe a basis for what can be in the near future Latin American framework.

>> CAROLINA AGUERRE: Yes, Amalia.

>> AMALIA TOLEDO: Just a comment about that idea of a common framework.  I'm not so optimistic about that, about the common standard.  I think that the ‑‑ the Latin American ‑‑ the Latin American network do a good job from with that.  I think we have a problem from our countries also.  At least in my country, it was so difficult that the government understand that data protection is a completely different ‑‑ it's not a thing just related with transparency or the openness of the government.  And I saw that attendance in Latin America is to put the two things together.

In Peru it happens and they put data protect I don't know and transparency authority, and I think that's ‑‑ that reduced the ‑‑ the wide kind of view that we have to have about data protection issues, because it's more than transparency.  So I'm not that optimistic ‑‑ I think this should be a common standard, but I think that we have a problem from the ground maybe, from the ‑‑ from the base, and this problem is our governments don't understand that data protection should be a right of the people.  It's not just a matter of commerce and economy, it's a right of the people and digital age and I saw that situation in my country, at least.  We ‑‑ we go to the authority to talk about data protection and they start to talk about transparency and openness.

So it's not same question as ‑‑ it's not the same issue, it could be related in some kind of cases but when we think in companies, small or big companies we don't speak about transparency.

>> CAROLINA AGUERRE: Thank you, Romina.  We have only one more minute and we have to really round up now.  So if there's any other extra comment or question from the floor.

>> PARTICIPANT: My name is Bruno.  I'm part of Nick Dot BR but I'm speaking in my personal capacity.  Danilo has made interesting initial remarks, by establishing the governance and the regulation approach.  And immediately I remember one of, like, the Seminole books, the governance of privacy which was wrote by two scientists politics, and basically it's a theoretical framework that we should use more than law to ‑‑ to behave, you know, to design a kind of new normative approach and I think that we are witnessing right now what is happening with the GDPR, one of the most invasion that the doctor points out is that the GDPR would adopt a risk‑based approach in the sense that we have now like the risk partner assessments and basically this too aims at reducing the symmetry of information.  And this should produce a kind of more information in order to fulfill the strategy and the actions from the regulatory states and agents.

So I would like to know some thoughts on that.

>> DANILO DONEDA: Okay.  I will take the bait.  There an underlying challenge in what you propose, though.  One major complaint that companies get all the time is how terms of services are long and legalese and nobody reads them and at the same time, the GDPR does provide more information, more explanation, more detail and so I guess it begs the question of will people actually read and care about those things because that's what you are doing right now.

Companies can no longer get by with saying, oh, hey.  You have to explain how, right?  That's good.  That's obviously a step in the way of what you are saying but at the same time, I guess it begs the question of who exactly is going to be reading those things and would exactly is going to be really concerned about this.  And an audience like this where people came here in the 9 a.m. privacy, obviously everybody cares deeply about the issue but I'm not so sure about the average user.

Carolina gave me 60 seconds.

When considering the risk approach and procedures of GDPR, we have to take ‑‑ we have in mind that GDPR works in the legal framework where data protection is based on the shorter of fundamental rights of European Union and so it's deeply based on fundamental ‑‑ regulation of fundamental rights, not regulations, data protection is recognized as a fundamental right, and it only has to implement practice, principles to make it concrete.  And the risk approach which is not alien to our tradition.  It can be applied, of course.  It produces good direction from people ‑‑ to people and protecting their rights.

>> CAROLINA AGUERRE: Okay.  Thank you very much.  I'm very sorry we don't have time to wrap up.  We have to leave the room now but I would really like to thank Danilo, and others for organizing this splendid panel to discuss our region, but in facing the other regions in a global environment such as the IGF.  Thank you very much.

(Applause).

(End of session)

Contact Information

United Nations
Secretariat of the Internet Governance Forum (IGF)

Villa Le Bocage
Palais des Nations,
CH-1211 Geneva 10
Switzerland

igf [at] un [dot] org
+41 (0) 229 173 411