IGF 2018 OF #26 Commonwealth Open Forum - Data Protection

Room
Salle VI
Description

ICT continues to advance at a rapid rate and is providing a foundation for economic development. While countries are working towards creating digital societies, there is an urgent need to ensure the protection of data by implementing appropriate legal frameworks and raising awareness on this. The entry into force of the EU General Data Protection Regulations and its global impact also underscores the need for countries to pay attention to this issue. For many Commonwealth countries, especially developing countries, there exists no or inadequate legislation to address data protection. For those countries which have legislation, it may only be partially enacted as some states grapple with establishing the necessary institutional structures to give effect to the laws. At a recent Commonwealth Data Forum in February 2018, issues highlighted included pressing individual and collaborative priorities, and where inevitably limited resource should be channelled. Enduring themes emerged, including: the importance of learning from each other via rich and frequent dialogue, and information sharing; the pivotal role of education in this data space; and identifying and capturing risk, yes, but then confidently taking bold mitigating action. This session proposes to serve as a platform to: 1. Provide information on making data protecting laws relevant for the digital age 2. Raise awareness of the impact of GDPR on Commonwealth member states 3. Discuss the challenges faced in drafting and implementing data protection laws with a view towards overcoming these challenges, through sharing of good practices and facilitating partnerships to build the required capacity

Organizers

Commonwealth Telecommunications Organisation

Speakers

Robert Hayman, Manager, Events and Acting Manager, Capacity Development and Training, Commonwealth Telecommunications Organisation
Alain Kapper, Senior Policy Officer – International Engagement, Information Commissioner’s Office, United Kingdom of Great Britain and Northern Ireland
Professor Mona Al Achkar Jabbour, Professor of Law, PM of Information Security Panel –WFS, Head of Lebanese Information Technology Association LITA, Member Founder of Pan Arab Observatory for Cyber Security
Theresa Swinehart, Senior Vice President Multistakeholder Strategy & Strategic Initiatives, ICANN
Elena Plexida, Government and IGOs Engagement Sr Director, ICANN
Mary Uduma, Managing Director, Jaeno Digital Solutions, Republic of Nigeria
Salanieta Tamanikaiwaimaro, Founder and Executive Director, Pasifika Nexus and President, South Pacific Computer Society, Republic of Fiji

Online Moderator

Commonwealth Telecommunications Organisation

Session Time
Session Report (* deadline 26 October) - click on the ? symbol for instructions

IGF 2018 Report
“Commonwealth Open Forum - Data Protection”

- Session Title:
Commonwealth Open Forum - Data Protection

- Date: November 13th, 2018
- Time: 16:10pm – 17:10pm

- Session Organizer:
Robert Hayman
, Manager, Events and Acting Manager, Capacity Development and Training, Commonwealth Telecommunications Organisation (Intergovernmental organisation)

- Chair/Moderator:
Robert Hayman
, Manager, Events and Acting Manager, Capacity Development and Training, Commonwealth Telecommunications Organisation (Intergovernmental organisation) (In-person moderator)
Remote participation was not working for this open forum, there was no technical support in the room and as the session started late due to an earlier session over running, there was no choice but to continue without remote participation. (Remote moderator)

- Rapporteur/Notetaker:
Saiful Siddeky
, Senior Events Officer, Commonwealth Telecommunications Organisation (Intergovernmental organisation)  and Robert Hayman, Manager, Events and Acting Manager, Capacity Development and Training, Commonwealth Telecommunications Organisation (Intergovernmental organisation)  

- List of Speakers and their institutional affiliations:

  • Alain Kapper, Senior Policy Officer – International Engagement, Information Commissioner’s Office, United Kingdom of Great Britain and Northern Ireland (Civil Society)
  • Professor Mona Al Achkar Jabbour, Professor of Law, PM of Information Security Panel –WFS, Head of Lebanese Information Technology Association LITA, Member Founder of Pan Arab Observatory for Cyber Security (Civil Society)
  • Mary Uduma, Managing Director, Jaeno Digital Solutions, Republic of Nigeria (Civil Society)
  • Salanieta Tamanikaiwaimaro, Founder and Executive Director, Pasifika Nexus and President, South Pacific Computer Society, Republic of Fiji (Civil Society)
  • Theresa Swinehart, Senior Vice President Multistakeholder Strategy & Strategic Initiatives, ICANN (Technical Community)
  • Elena Plexida, Government and IGOs Engagement Sr Director, ICANN (Technical Community)

- Key Issues raised (1 sentence per issue):

  • Protecting the rights of citizens is important. The rights of individuals are more efficient in the digital economy. Harmonisation of different sectors is important, harmonisation of personal data protection must be harmonised throughout all areas. There may be challenges and fears but everyone has a right to be a part of the digital economy. Awareness and cooperation at a national level is important, cooperation between private and a public sector, and at an international level cooperation between countries is important.
  • The European Union data protection legislation, GDPR, is very well intended and that is to protect personal data and this is an important aspect in today's world.
  • The honeymoon period is over, GDPR was adopted in 2016 and companies had a two year period to implement the processes. Companies had two years to review their process and decide whether there was a requirement to employ data protection officers, or initiate data protection impact assessments
  • The commercialisation of data and value of data is the real driving force behind data protection regulations.
  • Legislation that touches our daily lives needs cooperation, regulators do not necessarily understand what needs must be compromised so it is necessary to engage the wider community as a whole.
  • Creating a Commissioner in each Commonwealth country may not be the way forward, no model fits all, but there must be an authority with sufficient powers to enforce the legislation.

- If there were presentations during the session, please provide a 1-paragraph summary for each presentation:
There were no presentations during the session. There were opening comments which have been integrated in other parts of this report, as they covered the same topics.

- Please describe the Discussions that took place during the workshop session (3 paragraphs):

  • GDPR came in to effect on the 25 May 2018. The principles enshrined in the EU Directive of 1995 have not massively changed but the scope of the new legislation goes well beyond its precedessor, notably in relation to the global territorial scope and the increased individual rights. The internet and digitalisation has changed the ways businesses and government interact, this has led to a new phase of globalisation, underpinned by the movement of data across borders. As recent reports have shown, movement of data have already superseded more traditional versions of trade, as major contributors to the economy. Data flows are important to economic growth of citizens. The role of regulators has become increasingly important to ensure the movement of data is used but not abused.

Moving on to the consumer argument, the rights of the individual rely on the unprecedented growth of personal data. Trust online also addresses issues relating to democratic governance, ethics and the fundamental rights of individuals with regards to privacy. Data can be quickly and easily transferred on to a third party to another jurisdiction, whether other principles apply. This can undermine the data privacy clause. This is of course what happened in October 2015 where the Irish authority asked the European Courts of Justice, whether data can be transferred across the Atlantic under the Safe Harbour principle without any further checks (the Schrems case). The Courts of Justice said these arguments were not valid. A new privacy framework has now come into force (the Privacy Shield), but that does not mean that the issues are resolved, we are in constant discussions with the US and we are still unclear over the transfer of data across borders to the US is a safe place to go.

In the age of borderless data flow there has never been a more important time for a global coherence on data protection and data privacy. The divergence of data across jurisdictions leads to the uneven levels of protection between jurisdictions, which leads to the need for legal controls over data across border flows and this is to prevent the growth of a more autocratic regime.

The Information Commissioners Office of the United Kingdom makes a recommendation too that there should be a more coherent regulatory approach with regards to cross border transfers But while there is no silver bullet or model to replicate at the moment, we can take a positive in that there is a lot of common groundin terms of the underlying principles (openness, fairness, purpose specification and collection limitation, use limitation, data security, accountability and individual access)

The divergences in approaches mean that we cannot consider that there is a perfect way to legislate or regulate and, as best next thing, we should ensure interoperability between the different regulatory systems.

 

The Common Thread Network is a forum for data protection and privacy authorities of Commonwealth countries. It has been established to promote cross-border cooperation and build capacity by sharing knowledge on emerging trends, regulatory changes and best practices for effective data protection. Currently within the Commonwealth, there are approximately 30 Commonwealth member states, with data protection legislation or policies, and this means that there are a large number of jurisdictions that do not have policies. Furthermore, there are a number of Commonwealth countries that do have a legislation but have not implemented it or have no oversight body to monitor the implementation.

The Common Thread Network exists to find commonalities and discuss together with other professionals what the issues are in terms of data protection. They hold regular meetings, and also observe the outcomes of the Commonwealth Heads of Government Meetings (CHOGM). In last April in London, there was recommendation on cyber security and connectivity agenda for trade and investment which pushed governments to overcome barriers in regulation that had previously existed to facilitate implementation of coherent policies and improve cooperation.

  • The Fijian constitution has two articles that canvass data protection and access to information. The constitution is access to legitimacy in terms of creation of end rules for the protection of data protection. Different industries are subject to different levels of intimacy that protect, whether it is the banking sector or health sectors. Fiji has a lot of sensitive information such as geospatial information and a lot of this information is sensitive and gets cached within a country. There is a telecommunications decree that limits access to private records unless you have court orders. In Fiji there was a recent scandal of birth and data records, certain birth records that have been distributed and forged for Pakistani nationals in the figure of 10,000 records.
  • In Nigeria there is no such thing as data protection in the legislation, however, the Nigerian Senate has started a working group on GDPR. One working group has so far been held, a partnership of the EU has visited the Republic of Nigeria but the outcomes have not yet been shared widely. Nigeria has also forged a partnership with Oxford University and an ongoing data survey is being carried out, with the Office of the National Security Advisor they are talking to several sectors of the ICT industry with a view to expanding the economy. The regulator Nigerian Communications Commission has a dedicated approach to new media and information security but nothing has been formulated on data protection. Nigeria does not have the capacity or the capabilities to progress in the area of data protection and we need the help of outside resources to continue in this area. Awareness raising, capacity building and writing of the legislation are all areas we need help. The Nigeria CTLD has gone ahead and looked at how the GDPR will affect the registrars and registers of the CTLD and information has been published on the website, we need good advice going forward. 
  • When you witness the emergence of legislations and regulations that are very well intended, such as cyber security and data protection, issues that really need to be dealt with, once you apply those to the technological environment of ICTs, you often see the unintended consequences or unintended results out of it, creating potentially a patchwork of legislation in different countries, whether it is in the Commonwealth or between the Commonwealth countries and the European Union, there may be an impact on the ability for transport of commerce or economic growth or societal matters that are being dealt with either at the national or regional level. This is something that is an opportunity for experts to help inform the establishment of regulations and legislations that are well intended but find ways to do them so that they are scalable and don't have a harmful aspect to the social and economic growth that ICT and technology and internet offer.
  • With respect to ICANN, they have the Who is information, when a domain name you is registered this information is provided, that information historically had been to help find another party that might  party that might have the other name, that information was made known and allowed parties that may have that issue, to solve that issue together. Going through time, that Who is information became important in the Domain Name System and if you look at the applicability of GDPR in relation to ICANN specifically and the use of Who is in relation to the contracted parties, ICANN went through a process of looking at the contracts to make them compliant. Traditionally available information available to the public, and the identifiable part was made private and the rest public. ICANN went through a process with the community and through consultation documents established the Calzone model that was to solve many different issues, that was adopted in May in what was a temporary specification, which is a modification to the contracts, there is a publication for all the stakeholders of the community that want access to information whether that's the law enforcement agencies, intellectual property users, etc. ICANN have tried to determine whether it's possible to have a unified mechanism to determine that, one that is scalable on a global level and meeting the requirements of the GDPR.
  • The European Union have issued guidance with regards to the GDPR legislation but it is not always easy to interpret how this should be observed in all aspects, cooperation is key to reaching a better understanding of the legislation.
  • With respect to the management of personal data, when an institution needs data to verify operations, to prove or defend, then here the rules are different. GDPR cannot harm other sectors, otherwise it will not work. Financial institutions have a way of protecting the personal data but also using and keeping this personal data for a longer period of time. Why do they not delete, why, because they may need to prove something legally in the future.
  • A question was asked whether the implementation of privacy and data protection could be standardised for all international companies, should companies such as Google, Facebook or ICANN sign separate agreements with various jurisdictions can one not be implemented across the globe.

- Please describe any Participant suggestions regarding the way forward/ potential next steps /key takeaways (3 paragraphs):

  • There was a suggestion made that the Commonwealth Telecommunications Organisation (CTO) should create a working group of members to help them look at the challenges and opportunities of implementing data protection and help build capacity going forward.
  • A delegate from Nigeria noted, Nigeria has collaborated successfully with the CTO on cyber security essentials capacity development training and he believes CTO can also help Nigeria with data protection.
  • There needs to be political commitment, as certain countries are not fully committed to taking data protection legislation forward. It is essential all Commonwealth countries must legislate on data protection.
  • A comment was made by Ian Brown, Department of Digital, Culture, Media and Sport who said harmonisation is important and it is also important for Commonwealth countries to look at the Council of Europe Data Protection Convention 108 and its ratification by the Council of Europe and looking at the current non-member signatories such as Mauritius, Morocco, Senegal and Uruguay.

Gender Reporting
- Estimate the overall number of the participants present at the session:
There were approximately 30 total participants

- Estimate the overall number of women present at the session:
Approximately 15 participants were women. The panel itself was gender balanced, with five out of seven speakers being women.

- To what extent did the session discuss gender equality and/or women’s empowerment?
If the session addressed issues related to gender equality and/or women’s empowerment, please provide a brief summary of the discussion:

The session did not directly address issues related to gender equality and/or women’s empowerment. However, it did consider challenges in how technical community, government and public sector security teams can successfully cooperate with civil society organizations.

-  Add your Inputs to the UN SG High Level Panel on Digital Cooperation as explained

  • There needs to be political commitment to take data protection legislation forward. It is essential all countries must legislate on data protection.
  • Capacity development is essential to increase the capabilities to enable countries to tackle data protection challenges nationally as well as internationally.