You are here

IGF 2018 - Day 2 - Salle VI - OF26 Commonwealth Open Forum - Data Protection

The following are the outputs of the real-time captioning taken during the Thirteenth Annual Meeting of the Internet Governance Forum (IGF) in Paris, France, from 12 to 14 November 2018. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the event, but should not be treated as an authoritative record. 

***

 

>> Okay.  Thank you very much for coming.  My name is Robert Hayman.  I'm the manager of events, and I got a are acting manager at the CTO, which is the commonwealth telecommunications organization and for those of you who don't know a CTO we're a membership governance we work in the field of ICT and deliver support to our members that commonwealth governments regular taters, and we have some I.T. sectors such as Facebook members as well. 

      Now, I'm very happy to be here and share this session.  It's my first time sharing a session, and I'll try to speak clearly for you.  I'm going to introduce the speakers, but before I do that I'm just going to give a quick summary of this session and what we're trying to achieve from it.

     So I'm just going to read the description ‑‑ session description, so we can all have an idea what we're going to be discussing, so the session is data privacy and protection and the description is ICT continues to advance at a rapid rate and is providing a foundation for economic development.  While countries are working towards creating digital societies there is an urgent need to ensure the protection of data by implementing appropriate legal frameworks and raising awareness on this.  The entry into force of the EU data production regulations and its global impact underscores the countries to pay attention for these issues.  For many commonwealth countries especially developing countries there's exists inadequate legislation to address data protection, and for those countries which have legislation.  It will only be partially enacted in some states ‑‑ as some states grapple with establishing the necessary institutional structures to give effect to the laws. 

      At a recent commonwealth forum that was held in 2018 in Gibraltar which was hosted by the government of Gibraltar issues pressing individual and collaborative priorities where inevitable resource ‑‑ sorry, where inevitably resources should be challenged enduring themes continued the importance of learning from each other via rich dialog such as this and the pivots of role of this data space and capturing arriving

      This session proposes to serve as a platform to provide information on the making data protection laws relevant in the digital age and raising GDPR of commonwealth states and drafting and implementing database protection laws of a view of overcoming these challenges through sharing of good practices and facilitating partnerships to build the required capacity. 

      So I am very pleased to be joined by Alain kappa who's the senior policy officer at the international ‑‑ sorry, sorry.  He's ‑‑ Alain is the senior policy officer international engagement at the information commission's office, which is of the U.K. government of Great Britain and northern islands, and alongside Alain we have professor Mona Gubort.  Sorry, professor of law and PM of information security panel ‑‑ 

(Speaker Not Mic'd.)

>> MODERATOR:  A permanent, right.  Okay.  Thank you.  Thank you, Mona and also as the head of the Lebanese information technology association and is a member ‑‑ a member, founder of the Pan‑Arab observatory we brought Mona because she's an expert in data law, and I listened to her discussion yesterday where she contributed to that commission, and we can learn.

     And we have El Naya Plexico of the governance and IGOs engagement senior director at ICANN and she's also joined by her colleague Teresa, Teresa is a senior vice president multistakeholder strategy strategic supervisor of ICANN, and you can share your experiences from the ICANN perspective

      And then we're also looking at the member states and what our members are doing in this particular area, and I'm pleased to say we have Mary Uduma who is managing director of JNO digital solutions, but you know Mary from a lot of other things that she's worked with in the ‑‑ in the ‑‑ in the wider ICT community she represents republic of Geneva.

     And we have Sally Netta ‑‑ executive director of Pacifica and president of the south Pacific computer society the Republic of Figi, and that was a mouthful.  Italy going to be Alain giving an overall of GDPR and the commonwealth and also be talking as a member of the common thread network.  Thank you very much.

>> Thank you.  The information ‑‑ with an independent regulator we're not part of the government.

>> MODERATOR:  Sorry, I realized that mistake when I said that. 

(Speaker Not Mic'd.)

>> MODERATOR:  Absolutely.

>> There was an overview on GDPR, and I think everyone will know about the GDPR, and I won't try to expand on that.  I think my representation will try and capture the outcome of GDPR, and so what it means for ‑‑

(Inaudible.)

>> It's the scope of the regulation as pertains the ‑‑ 

(Hard to hear.)

>> I'll come to that in a moment and the internet and digitization are fundamentally changing the way ‑‑ they have changed the way as people in business and government interacts.  This has led to a new phase of globalization by the moment of data across national borders changing partners in international trade, goods and services and also serving an impact on global business and GP of the states. 

      As recent reports have shown the movement of data has already surpassing traditional phase.  The geography of globalization of data flows also changing within digital world.  All the international trades and goods involve at least one developing country and trading goods between different companies or so could source trade from 7% to 18% from year 2000 to the year 2016, but what does it mean?  Those data flow use for economic growth obviously and for citizen to control all the data that had been used, but this development also presents new challenges for government and regulation of the ICO to ensure those opportunities are used but not abused. 

      Obviously, I refer here with the Cambridge Analytica which you have seen in the press but from an economic perspective data is related to trade in goods and services in the digital economy.  Insufficient protection can create negative effects by reducing consumer confidence and overly stringent can obviously unduly restrict businesses in the way they interact with each other. 

(Background noise.)

>> And that adverse economic effect is a big result on businesses themselves but also on the economies. 

      For cooperation governance ensuring global metrics in scope of the obligation and competitive in other framework is of utmost importance for the global internet. 

      Moving away from the economic and the consumer arguments there's issues relating to democratic governance, ethics and organization in the fundamental rights of the individual. 

      Concentrating on the provision of search, communication, retail and financial services rely on the collection of personal data as well as the absence of control of individuals on the decisions that are made on their behalf. 

      And the global nature of internet also mean data can be quickly and easily transferred to third‑party jurisdictions.  This transfer can undermine domestic privacy goals which can prompt limit the free throw across borders.  This is, for instance, what happened in 2015 when the Irish authority asked the court of justice in European Union what are the Safe Harbor arrangement whereby companies can send information across the pond of the U.S. and the court of the court said it was invalid and the privacy issue has come in to force, but it doesn't mean that's the solution because ‑‑ those following the news may be aware we're in constant discussion, and it's unresolved and we're still unclear transferring data over the border to the U.S. is a safe place to go but what I want to say all the above shows in the age of borderless data flows there's ever been an important time for government protection security, and there's he a level of protection between jurisdiction, which is the need for legal control for cross border flows and in order to prevent the law of democratic regime to be circumvented and the privacy rise ‑‑ globally as well there's a recognition that there should be some law requiring those across border transfers, and there's a wide approach to these issue and innovation to exemptions but unfolding is no single blip for managing that.  Under the country there are multiple international initiatives which I'll speak a little bit more on if you have the time but even those divergence exists we see a number of jurisdiction protection of privacy legislation ongoing year on year and that there's a lot of underlying ground on the principles and a broader concern all of this should be addressed. 

      In terms of underlying principles, and it's directly related to GDPR we see sort of an openness organizations must be open to all of the user and process personal data.  There should be some collection limitations, so you can't grab all you want you're determined to be limited, fair and the consent of the user, user other legal grounds to do this, so it ‑‑ the ‑‑ sorry, the purpose must be specified, and they need to be limited and there must be some safeguards contain that data and then there's some ‑‑ be able to provide access to the individual of the data, so those are the ‑‑ they are enshrined in the GDPR and then one of the last principles of compatibility, and make sure that controllers are responsible for the way they bundled their information, and one last one, which, I think, is key to ‑‑ to the future of the internet governance is the compatibility and to ensure whenever you go to ‑‑ you can go without too much trouble. 

      As I say there's no perfect way to regulate or legislate those different approaches so what is key the concept of intraoperability or is mentioned the data of operating the different systems.  You have core principles 108, which is a new ‑‑ it's a known convention, and it has been modernized recently and all parties that those in Europe can sign up.  It's one of the only binding agreements that exists on data protections, which is one that is really relevant and enabling the economies to grow by using transfer data and then you have other system like epic like in Asia‑Pacific they also have established a privacy framework.  You have also others doing the same thing and then GDPR.

>> MODERATOR:  Alain, I know you took 15 minutes to discuss I think we should talk about ‑‑ some of the practicalities how the commonwealth can bring capacity in a particular area and one of the things that you have experienced is the commonwealth threat network and if you could just give a capacity for that and talk about who's involved and what can be done in that area.

>> Yes, sure, as you know the commonwealth about 53 jurisdictions.  At the moment about thirty jurisdiction in the legislation and that means large portions to have data protection and the 30 of data protection some don't have a data protection commissioner or anybody to enforce the legislation so what we do within the common thread network ‑‑ it's a network that started in 2014 and in Canada and the U.K. and to group all those data protection authorities and privacy authorities and find common ways, commonalities and trends we can discuss together to see that dialog at the international level and the regional level.  And what we also tried to do is grab all those states data protection framework and say, well, why don't you join us and see for yourself, and it's sometimes to grab the right person 'cause when you ‑‑ when you look at across the commonwealth, and you look at the different ministries of the data protection or it varies, so find the right person and speak of the benefit of having a framework, so you can enhance and grow the economy.  That discussion is about that generally.  We have regular meetings and the initiative, and we also think ‑‑ be attentive the commonwealth meetings are doing.  For those who are not aware, head of governance in the commonwealth is second year so last ‑‑ last April was in London, and they issued a declaration on cybersecurity to work at the regulatory bar that I say ands and raise the bar, and there's another declaration on the agenda trade investment.  Again, it's about showing the different commonwealth jurisdiction that again in having strong data standards so removing those ‑‑ raise the bar that exist.

>> MODERATOR:  So in the U.K. you feel there's enough in terms of regulation ‑‑ you feel it's effective in dealing with lots of the issues that arise in terms of data breaches, but the commonwealth can be doing a lot more as a general rule ‑‑

>> Yeah, absolutely.  I think implementing a new data protection regime is something that takes a long time.  I'm sure ‑‑ 

>> MODERATOR:  Yeah.

>> I'm sure Maya can speak of that, but we're getting there.  I think those that you instill also means when you get to the table people realize that it's a benefits gain here.

>> MODERATOR:  Okay.  And the longer you stay at a table and the more you go at those meetings the more you can make your point.

>> MODERATOR:  Okay.  Thank you very much for your contribution.  I'll come back to you later.  Mona, could you talk about your experience as a legal professor of law and your area of expertise is data protection and if you can't talk about the work you've pare out and the overarching commonwealth countries?  Sorry, talk about the work you've ‑‑

>> Oh ‑‑

>> And how you feel you can give advice of the commonwealth issues that come in this room. 

(Speaker Not Mic'd.)

>> Raising a little bit of in society. 

>> Sorry, so ‑‑ well, I have to do this. 

>> Okay.  Society means citizens so generally people, layman and later on all those who are involved in processing personal data, so the latter are not interested in data protection as rights as an element to protect human rights or other liberties but as ‑‑ let's say an element of ‑‑ that can make them more competitive and that can help them protect their reputation and be more ‑‑ let's say efficient in the digital economy because when ‑‑ or when individuals or whoever trust you and trust you are protecting their data, then they will go for work with you, and they won't hesitate to their own data, so what we did is we supported legislation, a project of law, and it was out three weeks ago we found what we proposed wasn't there.  Our proposition is a creation of an authority of protection of informatics and liberties we took the model of the French queen, not because our system is based on the French civil law, but because also we have many concepts and principles in our constitutions that can support this proposal, and the main objective was because we believe that if we were to be implicated or to benefit from the information society, then we have to find the most safe and trustful and way to do it.

>> MODERATOR:  Okay.  So if you were going to make any recommendations, policy recommendations, or legal recommendations in terms of changing constitutions, what would ‑‑ the country that hasn't got a legal framework to deal with data protection ‑‑

>> Yeah, I would say that harmonization of legislation in this feed is a must.  I heard him talking about tens of jurisdiction at the commonwealth, but I think the legislation in defeat of personal data protection has to be harmonized because we are talking about a new world, so the jurisdiction ‑‑ no, finally, it's the same challenges.  They are ‑‑ we have the same challenges.  We have the same ‑‑ let's say some fears.  We have also all this interest in being a part of this digital development so for the same problems we have to fetch to look for if not for the same solutions that can meet and that ‑‑ that should not go in conflict.

>> MODERATOR:  So it's getting on the political agenda is really the way of creating the obstacles and changing the data protection in a country that hasn't gotten established ‑‑

>> Oh, awareness is a very important part of it, and awareness and cooperation at the national level, first of all.  I mean, all those multistakeholders, the people who are concerned of the protection of the data should work together.

>> MODERATOR:  Uh‑huh.

>> And then later on we need cooperation here at the national level between private and public sectors because the two of them are concerned and then later on between the countries, different countries.  They want to cooperate.  Cooperation is a must, travel over boards ‑‑ we cannot talk about national and specific for ‑‑ that's my opinion.

>> MODERATOR:  Okay.  Thank you. 

      Now, I'm going to over to Salanieta if that's okay because I think that will work on the capacity developments and looking at data protection and, yes, Salanieta what are you doing in Fiji in the Pacific region and who's helping and do you need more help?

>> Thank you.  Sala for the record.

>> MODERATOR:  Sorry.

>> Just to make it record.

>> MODERATOR:  Oh, yeah.

>> I thought I would set a bit of context.  Fiji has a constitution, and we have two articles one for privacy and the other for access of information, and the constitutional framework gives legitimacy in terms of the creation of any instruments to do with data protection. 

      Now, in terms of having a data protection genetic framework in Fiji, we do not have, like, a generic one, however different industries across Fiji whether it's aviation, banking, whether subjected to different legislation instruments that have provisions to protect ‑‑ to a certain extent, customer information, personal information in the case of the health industry, for example. 

      And as you can imagine, living in a global world we have Geospacial information, and it gets cached within a country, and that's also true for the rest of the Pacific.  Sometimes it's cached offshore. 

      Now, if you look at Germany, for instance ‑‑ I remember when I was doing some school there, Google ‑‑ I was trying to look for Google to look at where I was going to be accommodated, and I noticed very quickly that, you know, houses were not part of it.  Now, that's part of the extensive privacy framework, and it's already Canvassed by the first panelist who said in Asia‑Pacific we have the APEC framework is right, and we have the APEC border ‑‑ let me have a look, one second.  I'm a bit jetlagged.  Give me a second.  Where we have ‑‑ what do you call it?  Principles morals. 

      Now, having said that, Fiji also has is a party and has ratified the ICCPR which neatly Canvassed the rights to privacy and, of course, I already mentioned that's also within the constitution. 

      Now, in terms of de‑anonymization information to be tracked back to patients and that certain thing, that's an issue because of the diversity ecosystem and the systems of the plethora of industries which deal with diverse data, there are different legislative instruments that deal with certain aspects, for example, telecommunications, we have a telecommunications promulgation decree which has specific provisions for getting the access, you know, unless you have specific court orders or the enforcement orders that come in requesting data. 

      Having said that, you have like things like census or even ‑‑ I think maybe I should mention a scandal ‑‑ a recent scandal which was birth and data records, birth and data records, and it's been rumored, and it's been said there's been certain investigations currently in Fiji.  I'm not sure I can comment on it, but I guess I'll comment on it because we have elections tomorrow, not that it matters.

(Laugh.)

>> But there's been certain birth records that have been duplicated and sold to Pakistani nationals for ‑‑ I think it was purported to have been sold for, like, 10,000, so that people could get passports, so you have birth and data registration for a specific individual, you know, and so things like that. 

      And then the other thing I wanted to very quickly cross over because you mentioned the GDPR and just to see how the linkages and the nexus with Pacific island countries.  Now, if you ‑‑ take, for example, the financial industry, tell me if I'm out of time.

>> MODERATOR:  No, no, that's okay.

>> Yes, and if you look at the finance industry, for example, you've got, you know, back‑end platform vendors and if you see a lot of companies that are listed in the London stock exchange ‑‑ a lot of them, you know, like global submarine providers, satellite providers, for example, the international Marine organization or IMO ‑‑ I was just sharing a joke with ‑‑ sorry, turn it off, yes, with Miguel from Paraguay about flags of convenience that's another story.

>> MODERATOR:  Okay.  Well, thank you very much.  You covered a lot there, and there's a lot to cover, and I'm not sure we can do it in an Mary.  We'll turn it over to Mary and talk about data breaches and privacy, data protection and what recommendations you have.

>> Thank you.  I'll just go straight to the point.

>> MODERATOR:  Okay.  And raise other points.

>> MODERATOR:  Okay.  Now, in Nigeria we have the cybersecurity law.

>> MODERATOR:  Right.

>> But it did not talk about data protection, so there's nothing like data protection, but what has ‑‑ we have started doing is that the senate ‑‑ the national assembly, the ‑‑ they just started a group ‑‑ working group ‑‑ as part of working group on GDPR.

>> MODERATOR:  Okay.

>> To advise the lawmakers because if they're going to pass any law on the deportation, so they're working on that as a group.  They held one meeting where some of us attended and there was those from the EU who came and had a retreat.  I don't know the outcome of the retreat as we speak, and there's an ongoing Savoy at Oxford university consultantcy is dealing with the national security of advice.  They are talking to several sectors of the economy ‑‑ of the industry and some were invited, and the regulator has dedicated the telecom regulator has a dedicated cyber ‑‑ new media and information security, so they are focusing on information security.  Fortunately, the director is here, but nothing has started on data protection, and a lot of capacity ‑‑ we don't have the capabilities ‑‑ we don't have the capacity, and so we need to as ex‑pats we need to create awareness and help in that area.

>> MODERATOR:  Okay.  Awareness question?  Capacity‑building and then writing of the legislation and all the rest of them.  They don't have it yet, so all are the areas that we need. 

      One other thing is that our ‑‑ they're going to look at how the GDPR will affect our ‑‑ the registrars we also the registrants of the domain name, and so they came up with a statement that's published on their website, and they're, you know ‑‑ that is the much well done, and so we still need to build a lot of capacity.  We need to advise the government.  We need good advice for the government.  Thank you.

>> MODERATOR:  Thank you very much.  Now, would you like to respond to anything that you've heard and essentially give your own experiences in terms of what's going on in the common thread network and how you potential get support or how support can be provided to these countries?

>> Very briefly from our experience, we ‑‑ it's interesting because we ‑‑ we worked with Nigeria months back, and it was only one meeting and nothing came from that, which is interesting.  We advised Ghana recently on their legislation, and so I think we progressed well and implemented legislation.  They have a very active data protection commission was active on the continent in Africa and is working with other counterparts because while we have the common thread network ‑‑ I made the common thread network, but we have other common thread network in Africa which recently had been established and the network for the Francophone and the Anglo‑Saxon communities to work together because the language barrier makes people not work together but in that sense they established they can work together and have under joint leadership, so my experience I think that works well to instill that.

>> MODERATOR:  You mentioned ‑‑ you mentioned that 30 countries have data protection legislation and commonwealth ‑‑ but then only, what, a handful have ‑‑ maybe only a few hands have commissioners.

>> Uh‑huh.

>> MODERATOR:  Is there ‑‑ do you see value in ‑‑ how is ‑‑ should ‑‑ is that the right way of going about data protection governance?  And every country ‑‑ some countries are very small.  Some countries are very large.  Like Nigeria, a very large population, but, you know, this is certainly a need I would imagine for a commission to take on that legislation process, but not every country has that model, so what's your recommendation there?

>> Well, whatever model you impose, you need ‑‑ I mean, having regulation without somebody to oversee that regulation has no meaning, no purpose at all.  I mean, it's like any sector.  If you want to ‑‑ you could be crossing issues ‑‑ you need somebody to enforce the legislation, otherwise, it has no meaning at all.

>> MODERATOR:  Okay.  Whatever the model is, whether it's a commissioner, a defensor ‑‑ they should have some ‑‑ some powers to ‑‑ 

>> MODERATOR:  Okay.  Right.  Well, thank you very much.  I'll pass it over to Elena and Teresa making comments on ICANN.

>> Sure.  I'll kick it off and then I'm going to hand it over to Elena more on the specifics for ICANN and GDPR. 

      Just a couple of observations from the comments here, and this is something that we're really starting to see also from ICANN's perspective.  Is that the emergence of legislation he and regulations that are very well‑intended:  Cybersecurity, data protection ‑‑ issues that really need to be dealt with, and once you apply those to the technological environment in ICT, you oftentimes see unintended consequences or unintended results out of it potentially a patchwork of legislation in different countries, whether within the commonwealth or between the Commonwealth countries and the European Union ‑‑ it doesn't matter where it is that may have an impact on the ability for transporter commerce or economic growth or societal matters that are being dealt with at the national or regional level, and, so this is ‑‑ this is something that I think is an opportunity for experts to help inform the establishment of regulations in legislation that are well intended but find them in ways that they're scalable not have a harmful aspect to the social and economic growth that ICT and technology and the internet offers to all parts of the world, and, so this is sophomore of a general observation that I think we'll continue seeing over time. 

      When we look specifically around ICANN, and this is a very specific example of, you know, the European data protection legislation ‑‑ so the GDPR is very well intended.  It's ‑‑ you know, the intention is really to allow your personally identifiable information to be protected, and that's an important aspect in today's world you take that then of the next level of ICANN where we have what is called the "who is information" which you know very well when you register a domain name you provide that information and that information historically had been intended to be able to find the party who might have another name in order to solve maybe an issue between those two parties and allow them to solve that together.  Now going through time, that "who is" information is important in the domain system and as we look at the applicability of GDPR in relation to ICANN, specifically, and the use of "who is" in relation to the contracted parties we have ‑‑ not the CCTLTs not that we have them under contract, but we have them under a generic space, but we had to work through a process to make modifications to the contracts to be compliant so traditionally available information to the public with the registrant's option to have it private really had to have now a segment of that "who is" information the person identifiable part that was made private and the rest of it made public.

     So we went through an iterative process with the community and through consultation documents and materials established what was referred to as the calzone model, trying to solve many different issues and that resulted in the adoption in May of what is a temporary specification, which is a modification to our contracts, which for the first time made a requirement that there's publicly available information and nonpublicly available information. 

      But, so that then raises the question for all the stakeholders who still want to get access "who is" rather it's law enforcement for cybersecurity reasons, intellectual property users ‑‑ maybe ‑‑ I would like to know whether an email that was sent to me really came from the person who says it sent it or the news article is actually from a source that is really the newspaper that claims it's coming from.  How do we enable that to be possible under now, this new system? 

      So we've been working with a range of areas including trying to determine whether it's possible to have a unified mechanism to determine that, but one that is scalable on a global level while meeting the requirements of the GDPR, but with that I'm actually going to turn it over to my colleague who's dealing more with the specifics of the European part that might help inform some of the discussions here, if I may.

>> Thank you very much, so I'm not going to bore you with a lot of details.  We can talk about this forever, just to mention briefly who database who is specific to ICANN is not the only database that has some relevance to the database, and there's other databases around it, and they might as well be affected so again the message is:  When legislation is delivered, it is developed ‑‑ the technical community should be part of this discussion.  We plea you to make us part of the discussion and we're there and available, and I'm placed in the Brussels office over at ICANN, so I have a lot of exchange with the European DPAs and the European states trying to mitigate to tackle this issue, and you might have noticed that the DPAs ‑‑ the European DPAs at least have issued guidance, so they can have issues of statement of alteration, and this is quite ‑‑ I would not ‑‑ it's not ‑‑ I can't think of the word there, very, very busy.  They have an issue guidance with other sectors that are huge but still they did the ‑‑

(Inaudible.)

>> And that's the recognition of the fact that is a significant thing to tackle, so I paid a visited to the turkey DPA because they wanted to discuss the issue.  How the data privacy legislation might have an affect on technical opinions.  We're willing to continue discussion please include us in the discussion.

     And I have to ‑‑ just one point I will take for you, from Mona, cooperation is important.  I agree.  Imagine if we develop different fix around the world.  Yep. 

>> Excuse me, yes, actually what ‑‑ whatever legislation all regulation that is intended to touch technology or whatever of our daily life that is connected with technology needs this cooperation because even legislators don't necessarily understand what is to be regulated or to be organized but let me first give you some answers to what you were talking about.  I think that ‑‑ according to the GDPR, there are some exemptions because the nature of the organization work or ‑‑ whoever institution that is related ‑‑ directly related to the management of personal data.  When this institution ‑‑ institution needs this data, to verify operations or to prove or to defend some interests, then here the rules are different because the main objective of the GDPR ‑‑ actually, this morning we had the meeting with the president, and we were ‑‑ she was talking about this actually, but the main objectives of the GDPR is to give these individuals a kind of control on their own data on the assets of digital economy, and when another objective is to help the development of ‑‑

(Coughing.)

>> So this will harm other ‑‑ whatever sectors involved, it won't work. 

      As an example, take the financial institution and ‑‑ here, you can see that they have their own way of protecting their personal data and of using this data and also of ‑‑ let's say keeping this data for more period ‑‑ for a longer period of time while ‑‑ I mean, they don't have, for example, to delete the data after an operation with a given client is finished because maybe in the future they will have to go back to this and prove something, the police, the law enforcement ‑‑ whoever doesn't have ‑‑ don't have to be treated like usual or whatever individual or institution.  You see?  They have ‑‑ they can be seen differently by the GDPR.

>> MODERATOR:  So the GDPR compliancy ‑‑

(Inaudible.)

>> MODERATOR:  Thank you, Mona.  GDPR compliance will be an issue ‑‑ the honeymoon period isn't over ‑‑

>> It's over.

>> MODERATOR:  Is there leniency for businesses and organizations in the transition because, yes, everybody has ‑‑ but in terms of data management the best practices of containing data there's a lot of organizations that surely aren't complying if you went to order their data management and how is ordering data ‑‑ how is that going to be managed ‑‑ how can it be managed by organizations?  It's a very big mountain to climb in some respects? 

(Speaker Not Mic'd.)

>> We're talking about the ‑‑  in the GDPR, those affected are the technical organizations like the ICANN as you have complained we have the Google collect the data and if each country establishes its own, will Google sign an agreement with all of them or is it better to have

>> That everybody would have been cooperated and agreed on that one and when they sign that one, it affects everybody?  I mean, it affects ‑‑ it covers for every country. 

>> There was a case against Facebook. 

>> Back in 2015 and GDPR ‑‑ well, you had different jurisdiction to Facebook and Facebook signing different engine results in different jurisdictions.  I would agree, yes, when you have regional agreement or interpretive agreement and the company can establish their own obligation that would be preferable in business. 

      When you reflect on the ‑‑ there's a specification to keeping all the data, yes, there are.  It's in their interest to keep their data, and there's different interest and a good reason for bankers to keep your data.  The payment services document number 2 ‑‑

(Talking Simultaneously.)

>> Also different the financial reasons, and there's privacy limited access and in that sense I can use that, and you have a contract, which is another basis for a legal ‑‑ basis for purchasing data. 

      But to respond to your question, Robert, yes, I think the honeymoon period is over because while ‑‑ what we took on board is that the GDPR was adopted back in 2016.

>> MODERATOR:  Uh‑huh.

>> And companies and business have two years to implement their processes, so they were provided, for instance ‑‑ if they're to appoint data protection officer which was a new part of the GDPR well, they have 2 years to consider that aspect.

>> MODERATOR:  Okay.  And make sure the capabilities is an important one because in the past ‑‑ well, for instance, you suffered a breach and then you had to tell the regulator what happened and then you have to justify what action you had taken after the breach occurred, which is the GDPR is different.  You have to tell the regulation what have you done in the past and that response is different under the directive framework.

(Inaudible.)

>> That's one thing ‑‑ I probably should ‑‑ 

>> MODERATOR:  I wanted to talk about the commercialization that you talked about commercialization in companies that can be held to account but so many that's, you know, I don't know, breaching data for let's say they're looking for a charitable organization, and they're working ‑‑ I don't know, some sorts of role, which is ‑‑ for good intentions but not money‑making, how are they reflected by data laws?

>> I want to comment on commercialization.  If you look at the 2016 global economic sales it was 1.9 trillion and globally in 2016 is APEC officials meeting, globally commerce sales was 1.9 trillion, where 1 trillion USD and one trillion is from Asia‑Pac and the rest is from the rest of the world if you're talking about motivations because when you're legislating or you're thinking about legislating you look at jurisprudence and look at motivations and the motivations of data is the monetization and commercialization, how valuable is that data.  In terms of selling to third parties that's where we have a problem like I'm from civil society, for instance, the recent data breach the Cambridge Analytica where Zucker apologized and the macro‑approach we're going to talk to a private sector and private sector is taking on to say, look, we're self‑regulating and here are our best standards and you've got instances where they've said, look, we got the Tech Accord?  So how far do we want to go, but I would just conclude because I got to pick up my luggage ‑‑ I would just conclude to say we need capacity building in this place in small island developing states.

>> Very, very quickly.  On the ‑‑ we're sitting on this table, I think, because we're quite unique in the sense Teresa.)

That is providing a service to the world we don't even have the database.  We don't have commercial use of the databases, so all these things are kind of ‑‑ we're in a gray zone of this law that was created ‑‑ I'll explain why.  The police, yeah, of course, there's police directive.  They're not under the GDPR and the exemptions are there for ‑‑ this law was made for commercial companies taking advantage or not or not doing good use of citizens we're taking ‑‑ it's not that straightforward.  Not straightforward at all, and we do not have the ‑‑

(Talking Simultaneously.)

>> MODERATOR:  I'll ask if there's any questions on the floor 'cause we're running out of time. 

>> AUDIENCE:  I'm from the U.K. government act harmonization absolutely is important and I think something else that it's well worth commonwealth states and others looking at as model lore is the council of data protection convention and 108, which is open to ratification by nonmembers of the council of Europe and just looking at the list of current nonmember signatories there are a number such as Senegal, Uruguay and others, and that's something to explore, and that's only a third length of the GDPR so not such quite a burden for the states to implement.

>> AUDIENCE:  But I think as well as harmonization debate I think it's quite interesting.  Nicole Gregory, sorry.

(Laugh.)

>> AUDIENCE:  Which, I think, is also quite interesting around ‑‑ based on principles as opposed to necessarily equivalent ‑‑ essential equivalent or whatever language you might use because I think it's coming out of the council of Europe as well and coming around what are the corporate principles we ought to be looking at, which, I think, you should be putting in a context and oversight being one without dictating what exactly what that looks like but some kind of independent oversight, and it could be some different kind of model on your local circumstances, and I think the idea looking at this from a principle point of view than a equivalent point of view is important. 

>> AUDIENCE:  My name is wisdom I'm a ‑‑

(Talking Simultaneously.)

>> MODERATOR:  I'm where are you from? 

>> AUDIENCE:  I'm from Ghana.  I'm speaking to guests of Africa, for example Ghana.  In 2015, Ghana ‑‑ we started a national data initiative and then along the line we're having so many issues in regards to data protection and all that, so we actually find a need to have one so in 2012 Ghana enacted the open data ‑‑ data protection law and all that to guide businesses, individuals everywhere but then there was so many issues but one of them was education.  Most people are not aware ‑‑ even the lawyers and judges and all that are aware of this data protection laws.  Even our education, educational sectors and all that so more you see people's certificates laying on the streets, and I think for the context of Africa the issues are there and Number 1 is education and political commitment.  It was like our politicians are also kind of I don't know the word to use ‑‑ 

>> MODERATOR:  The ‑‑ that was a very good addition to the discussion.  I think that our way forward ‑‑ I think one of the ways the CTO could do is potentially have a working group of members that can help member countries get a better understanding of what the issues are and how ‑‑ and build capacity in that area because I think there's still a lot that needs to be done in this area.  I mean, some in the seats know that and do you have anything else to contribute as a closing statement? 

(Speaker Not Mic'd.)

>> No closing statement, but it refers to what he said scalability.  I think you could refer to a report that was published in 2016 about international ‑‑ international data transfer because, yes, whatever system you come up with there needs to be something, obviously, of your regulation and with international data transfer what it means for you and internet what it means for you so experiencing data protection and what it means for you and difference of different information needs to be in your framework before you go forward with without overlooking that information.

>> MODERATOR:  I would like to thank everybody ‑‑ one more? 

>> AUDIENCE:  Just a comment ‑‑ 

>> MODERATOR:  Can you introduce yourself, please, sorry. 

>> AUDIENCE:  My name is Hal I'm the director of media and security communication commission.  I just need to add some little samples of an addition towards what Mrs. Uduma said.  We are working on cybersecurity issue when they come to Nigeria and cybersecurity essentials and where it is now and, hopefully, we'll collaborate with the issue of data protection regulation in the future.

>> MODERATOR:  Thank you very, very much.  That's a welcome comment, yes, we've done a lot in cybersecurity and developing in terms of building capacity in lots of commonwealth and we're hoping we can work again with partners to also provide this data protection field as well but thank you very much to everybody for coming and staying through the hour and thank you very much to the speakers that have participated. 

      Can I also ask the speakers if we can grab a photo outside just ‑‑ so we got something for the eCommonwealth magazine.  Could you just take a photo of us.  Is that all right?     

 

 

Contact Information

United Nations
Secretariat of the Internet Governance Forum (IGF)

Villa Le Bocage
Palais des Nations,
CH-1211 Geneva 10
Switzerland

igf [at] un [dot] org
+41 (0) 229 173 678