This is now a legacy site and could be not up to date. Please move to the new IGF Website at

You are here

IGF 2020 – Day 10 – WS204 Internet Data Protection Under Different Jurisdictions

The following are the outputs of the real-time captioning taken during the virtual Fifteenth Annual Meeting of the Internet Governance Forum (IGF), from 2 to 17 November 2020. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the event, but should not be treated as an authoritative record. 




   >> NADIRA AL-ARAJ:  This session is being recorded and hosted under IGF Code of Conduct and UN Rules and Regulations and you have also this information put in the chat.  Just a quick reminder that the chat is supposed to be used for the social purposes only and we kindly request everyone to look at the Q&A Box for any questions that may arise from the audience.  You can share your initial presentation when the session is starting if you have it ready, and can you also take a snapshot, the print screen of the session and attach it to your report later on, and my colleague, Peter, will just put you a link to the possible questions from the audience, another link, under which you can receive questions, so please also kindly pay attention to this as well.

So welcome, everyone.  Enjoy your session.  If you need any support, if you need any help, we are here to assist you.  Enjoy the session.  Thank you.

   >> TIJANI BEN JEMAA:  Thank you very much.  Nadira, are you ready to start?  We will start now.  Nadira?  Okay.  Thank you.  We will start now.

Okay.  Good morning, good afternoon, and good evening, everyone.  Welcome to this IGF 2020 workshop number 204 about Internet data protection and multiple different jurisdictions.  My name is Tijani Ben Jemaa, and I'm one of the organizers of this and I will moderate it.  My co‑organizer Nadira Al‑Araj will act as remote moderator and will give you some housekeeping information before we start.  Nadira, please.  We don't hear you, Nadira.  We don't hear you.

   >> NADIRA AL-ARAJ:  Yeah.  Hello, all.  Thank you for those who accepted our proposal to be part of this schedule.  For housekeeping, again, as you notice the selected format of this workshop is designed to be a roundtable, circular discussion format.  Hence, we would like to hear not only from the esteemed speakers but also the participant.  Therefore, we are allocating 3 minutes for each, and please excuse me when I'm trying to provide a hard stop, you will be hearing from me, informing you have only 15 seconds to end your session.  I will moderate the Q&A port for the discussion and I try to bring whatever points you have to the floor for more discussions, and we are looking forward for you to share discussions because it will be part ‑‑ hopefully it will be part of the discussion and considered in the report, the two reports that we are generating.

Finally, those participants will take the floor to speak and will be promoted with us as part of the speaker, and we hope that they will accept to be on until the end so we can take a group photo.

Just a reminder, this session is recorded, and you can access to it at the end.  So, thank you all for being here, and happy to have you and have all of our speakers.  Back to you, Tijani.

   >> TIJANI BEN JEMAA:  Thank you very much, Nadira.  Nadira, we say not 15 minutes before the end of the slot, it will be 15 seconds before the end of your slot since the whole slot is 3 minutes.  Thank you.

So, now, for reporting we have two wonderful reports who are Natalia Filina, can you open your camera, please.

   >> NATALIA FILINA:  Hello, everyone.  I'm here.  Thank you very much.

   >> TIJANI BEN JEMAA:  And, also, Victoria Al Araj.

   >> VICTORIA AL ARAJ:  Hello.  Everybody.  Looking forward to the session.

   >> TIJANI BEN JEMAA:  Thank you very much.  As you know, the global nature of the Internet and transfer of digital information across borders brings an international dimension to the debate around data.  The generation, connection, processing, storage, transfer and disclosure of data, including personal provide economic opportunities than ever imagined.  At the same time, the massive use of data through the application of data‑driven technologies by public and private entities poses challenges around privacy, freedom of expression, and even business sustainability.

The protection of data on the Internet is today one of the most important concerns of the Internet users because of the repetitive breaches.  Several attempts to put regulations for protection of users' data under the net have been done for 15 years now, and today we have some regulations that in some countries and some regions, but how can the user's data be protected under different jurisdictions?  How can any regulation be applied for the Internet which is a cross‑border good?  As I just said, data use is today's subject regulation here and there, but more significant coordinated efforts are done to make these regulations harmonious to ease their application worldwide for questions related to the Internet.

Should there be an international regulation replacing the various existing ones?  This roundtable will explore the existing regulations and discuss the way to make the users' data better protected wherever they are based and make recommendations there upon.

On the table we have speakers from different regions and stakeholders, gender balanced, and with various perspectives.  The first speaker is my friend, Farzaneh Badii and social scholar and author of at social school and tell us how social differences are linked for yes or more regulation for domain name recipients.  You have the floor for 3 minutes.

   >> FARZANEH BADII:  Thank you, Tijani.  Hello, everybody.  So, sometimes during Internet governance, so we need to consider when we talk about data protection of the Internet user that we need to consider what sort of data protection laws and practices majorly affect the Internet globally, how do they interplay with the Internet institutional landscape?  Because Internet users' global data protection or lack thereof is dependent on Internet governance's institutional landscape and not only the jurisdictions that the users are in.  And while the jurisdictional differences have a role, they may not be global, so we need to ‑‑ we need to find out in this landscape what sort of jurisdictions actually affect the Internet and the data users globally.  Sometimes the data protection law suit of one region or one country can affect the whole world on the Internet, and sometimes the data protection laws of a country doesn't even have an effect on the global Internet.

As well as, sometimes there are data protection policies of transnational Internet governance institutions that can affect data protection on the Internet.  Now, the Internet governance institution that I'm talking about is, of course, Internet Corporation for Assign Names and Numbers.  For many years the ICANN decided domain name registrant’s data, such as physical, address, email and phone number should be published and publicly available globally, and it did not consider any sort of law and did not have to consider any kind of data protection law until the general data protection regulation came into effect.  ICANN had to comply and told the registries and registrars to redact sensitive data, but it said that it should only ‑‑ they're only obliged to redact the data of the residents of Europe and not the whole world, so it is not compulsory to protect the data of people around the world, and we need to consider that this brings a major problem to the data protection of users globally because ICANN is a global quasi‑regulator on the Internet and decisions affect the world.

And then another example that I want to make, and these tech corporations also have ‑‑ they do affect our Internet globally, but also, they can protect our data globally.  So, for example, when you look at private corporations, the adoption of the NS over HTTP or called Do, that in a nutshell encrypts your DNS traffic.  Since actors that want to adopt are major actors such as FireFox it's likely that these global corporations bring global data protection, and all I'm saying is that it is not a square box.  We need to look at the institutional landscape, we need to look at the jurisdiction be and the jurisdictions that matter and that actually affect us, and also the constitutions that react and play with those laws.  Thank you.

   >> TIJANI BEN JEMAA:  Thank you so much, Farzaneh.  Thank you.  Our second speaker is not here so we will go to the third one.  Our next speaker is Leon Sanchez, my friend who is a partner at Fulton and Fulton and who is a Board Vice‑Chair of ICANN.  And ICANN is the Internet Corporation for Assign Names and Numbers.  Leon, we speak about the difference between GDPR and Mexican Data Protection Law and how this has affected it.  Leon, please, you have the floor.  3 minutes.

   >> LEON SANCHEZ:  Thank you very much.  Hello, everyone.  Greetings from Mexico City, and Farzaneh has made some valid points and I just want to clarify that I am speaking in my capacity of private practicing lawyer and not the Vice‑Chair of the ICANN Board.

So, one of the differences that I see in approaches to data protection regulations, in this case particularly between GDPR and the Mexican Data Protection Law is a difference that the data protection law makes in Mexico to process personal data that are linked to professional activities or that are part of a legal person’s activity.

So, for example, when you see an email like mine, which is [email protected], the GDPR would classify that as personal data because it is a piece of data that can identify me and that can get a link to me, but the Mexican Law approaches in a different way.  The Mexican Law states that when you have personal data that is linked to professional activity or to corporate activity, those data are not considered as personal data and they can be treated as, again, data that are not under the scope of protection of the Personal Data Protection Law, and I think that is something that we are lacking in GDPR, for example.  We have seen how GDPR has affected different parts of our ecosystem, and part of it is exactly these lack of differentiation between how personal data that is linked to either personal or legal personal or natural person or legal person, to be handled by those controlling or processing data.

So, I see that as far as we continue to have regulations that approach differently how different kinds of data are to be controlled and processed, then we will continue to face these challenges that we see today.

I am not sure if the right way to address is this is to try to build an international framework for data protection.  I don't know if this is ‑‑ if maybe establishing data protection agreements between different countries could be also an approach to these to establish exceptions and trying to avoid extra territoriality into the applications of law.

So, these many pieces into this, right.  So, when we look at how cross‑jurisdictional data is treated and protected in different ways, well of course, when you translate this to the Internet ecosystem, of course, we have many problems that we are currently experiencing.

So, again, I don't want to go past my name.

   >> NADIRA AL-ARAJ:  Thank you, Leon.

   >> LEON SANCHEZ:  This is my point.  Thanks.

   >> NADIRA AL-ARAJ:  Thanks, Leon.

   >> TIJANI BEN JEMAA:  Thank you very much, Leon.  Thank you for the intervention.  I'm sorry for the time.  Because it is a roundtable and we need people from the floor to discuss.  Thank you so much.

And now to my other friend, Joanna Kulesza.  Joanna is Professor of International Law at Lut's University in Poland and also the Vice Chair of the Advisory Committee at ICANN and Member of the European organization, at large organization.  Her intervention will be about the European approach to privacy and data protection, including both the GDPR and the COE108 +.  Joanna, you have the floor.

   >> JOANNA KULESZA:  Thank you very much, Tijani.  I'm going to speak in bullet points and leave you with links in the chat, and I hope that is acceptable because 3 minutes is not very much.

We do have an international treaty that protected personal data universal declaration of human rights and treaties that make that commitment or domain on binding human rights commitment binding, so I'm just going to post the Declaration of Human Rights and if you look into Article 12 there is indeed an international binding consensus on the protection of privacy.  How do we protect privacy?  Well, we protect through personal data protection.

Now, there is, again, a framework that dates back to 1980s, and again I'm going to leave you with a link right there.  This would be the OECD Guidelines that deal with how we protect privacy through personal data.  The European perspective is unique, so we here in Europe have been dealing with implementing that right and that framework since the 1950s.  The Second World War left us with traumatic experiences of situations where personal data was not adequately protected, so we had that experience founded in human rights law, and you could even argue that it was the very result of the traumatic experiences of the Second World War and we've been dealing with this since the 1950s.

So, since the 1950s, Europe has developed, one could argue, the most comprehensive personal data protection framework.  The GDPR is nothing new.  We have been at this for at least 70 years.  We've supported the work that has been done in 1980s in the Council of Europe adds Tijani rightfully mentioned the Convention 108 is now updated is the international law for personal data and privacy protection.  I'm happy to elaborate the link but I assume since you joined this session, you're well aware between personal and data privacy protection.

The latest, the GDPR is strongly rooted, tightly rooted in the experiences of personal data protection in Europe and elsewhere dating back to the 1950s or 198 0s, if you will when personal data became an element of globalization and trade.

The reason why GDPR was designed to have that extra territorial impact is again based on lessons we learned since the 1990s.  I'm going to leave you with a link to the Safe Harbor Agreement that Europe concluded with the U.S. that failed predominantly because there was no trans‑boundary effect.

So, the if the purpose of the session is to figure out a framework for effective privacy protection online, I would argue we already have that.  Now, as every lawyer will tell you, the problem, the devil is in the details, so it depends on how we apply that framework.  I want to stop here.  I can see Nadira getting impatient so I'm just going to stop here and I'm looking forward to questions.  This is just a flag that there is a comprehensive framework we can fall back on.  Thank you very much.

   >> TIJANI BEN JEMAA:  Exactly, Joanna.  This is what was intended.  You have 3 minutes only to introduce this aspect of the topic and the discussion will make you give more information and more perhaps to elaborate on some aspects that people will ask for and that you want to elaborate on.  Thank you very much.

Now, the next speaker will be Dr. Sam Lanfranco.  Sam is Economics Professor Emeritus and senior scholar at York University and engaged in Internet ecosystem issues and development in ICANN, and also in global digital citizenship.  He's an Executive Committee Members of Society for Advancement of Science in Africa, and also an advisor to the Ambedkar Center for Justice and Peace.  He will introduce the global Internet citizenship practice and behavior, integrity, and universal access.  Excuse me.  Sam, you have the floor.

   >> NADIRA AL-ARAJ:  We need to promote him as a speaker.  Please, Norman, can you do that?  Thank you.

   >> NORMAN:  Yes, of course, I can.  Could you please repeat the person's name?

   >> NADIRA AL-ARAJ:  Sam Lanfranco.  I could see him among the participants.

   >> NORMAN:  Yes.  I have already made him a panelist.

   >> TIJANI BEN JEMAA:  Sam, do you hear me?  Sam?

   >> SAM LANFRANCO:  Okay?  Can you see me?

   >> NADIRA AL-ARAJ:  Yeah.  We can hear you, Sam.

   >> TIJANI BEN JEMAA:  Yes.  We can see you and hear you.  Go ahead, Sam, please.

   >> SAM LANFRANCO:  Thank you.  The background was not the one I planned for this, but it's the one we have and I don't have time to change it.

Thank you very much for this opportunity.  I'm very happy to follow the previous speaker because the theme is very similar.  2,500 years ago, when Diaganies was asked who was he, his answer was I am a citizen of the world.  If he were alive today, he would say I'm a citizen of the global Internet as well.

We're all residents of the Internet now from before we're born.  Our birth data gets recorded, we are there but we have no defined rights or obligations at the level of the global Internet ‑‑ legislation and national legislation is covering this and pieces of this, but it's the kind of piece approach it tries to protect the integrity and privacy of the individual.  I view privacy as part of integrity here.

The legislative concerns are a bit selective until we get to a point of having some definition of what it means to be a global citizen of the Internet and a national citizen of the Internet.  National citizenship is always operated in various ways, but since World War II since the Universal Declaration of Human Rights, we've evaluated how nations treat citizenship against those norms.  We need a similar process with respect to the way in which we deal with the Internet ecosystem.

We need the equivalent of the Universal Declaration of Human Rights, we need the principles that are embodied there in literal space to be extended to virtual space so that the well‑being of humans, the well‑being of society, the well‑being of nature is equally protected under that virtual jurisdiction as it is under the literal jurisdiction.

What rights and obligations should we have as citizens of the Internet?  That needs to be defined, not just by the well‑intended GDPR and other efforts, which operate one step below that.  We need to get the principles defined, we need to bring in ‑‑ we need to use those to define the integrity of business practices, social practices, government practices, integrity in the Internet ecosystem.

And if you're going to be a global digital citizen, and I'll finish with this because we're opening up later, we need universal Internet access.  You can't be a citizen if you don't have a voice, if you don't have agency, if you can't speak, if you can't participate, so I would go beyond saying we need the regulation.  We need universal Internet access as a way of building a digital citizenship on the rights and duties of global and national digital citizens.  Thank you.

   >> TIJANI BEN JEMAA:  Thank you, Sam.  Thank you very much.  And now the last speaker but not the least is Mohamed El Bekri.  Mohamed is a Researcher in Civil Security on Privacy and in charge of studies in the National Commission for Personal Data Protection in Morocco.  Mohamed will focus on data protection in North Africa and impact of emergencies related to COVID‑19.  Mohamed, you have the floor.

   >> MOHAMED EL BEKRI:  Thank you, Mr. Tijani.  Thank you for having me.  I'm very happy.  I'll try to be brief, so North African countries enjoyed and enjoy an extraordinary strategy position and are seen as gateways for both Europe and Africa, and they are also influenced by their host continent of Africa and as well as Europe.

So, if you go back historically, Europe is considered as having greatly and positively influenced data protection development in the North African Region.  If you take, for example, Morocco and Tunisia, the relatively two leading countries in the North African Region, you notice that they have been largely inspired by the European Data Protection Standards, both the two countries have ratified the 108 Convention and they are working on the work of 8 + ratification, which is the modernized version of the 108 Convention.

Another example of influence is Egypt, which has recently adopted the republic first data protection law that has entered into force in October 2020.  So, if you see the provisions of this law, you will notice that to a big extent is modeled in the EU GDPR, the General Data Protection Regulations since it adopts similar concepts and definitions.

Regarding other countries, they have enacted the personal data protection law respectively in 2017 and 2018, but since then there have been minimal developments, and so in my opinion, even if the landscape today is quite disparate, since we have countries that entered the second decade of law like Tunisia and Morocco and while others have just recently enacted the privacy data protection laws, I think that there will be more incentives now to see a convergence in the north direction, meaning that the North African countries will upgrade their laws to be in line with the GDPR.

There is a mutual interest now because of both sides of the Mediterranean Sea are struggling with the impact of the human and impact of COVID‑19 and regional need to integration and complimentary.  The majority of the North African countries entertain a good relationship with the European countries and are close enough to Europe to host investment and to serve as a platform for goods exchange.

   >> NADIRA AL-ARAJ:  Can you, thank you, Mohamed.

   >> MOHAMED EL BEKRI:  Okay.  I can go further in the conversation.

   >> NADIRA AL-ARAJ:  The discussion, yes, we appreciate that.  Yes.  Great.  Thank you.

   >> TIJANI BEN JEMAA:  Thank you so much.  Thank you, Mohamed.  And thank you to all the speakers.  Now, as you know it is a roundtable, and I need the floor to interact and I see Dima Samaro to wants to take the floor.  Dima, please, the floor is yours.

  DIMA SAMARO:  Hi, Tijani and everyone.  Can you hear me well?

   >> TIJANI BEN JEMAA:  Open your camera, and we do hear you.

  DIMA SAMARO:  Okay.  Just one minute.  Okay.  I am good now?  Perfect.  Okay.  Thank you so much.  This has been a great discussion and I'm really enjoying it.

So, I wanted just to pick up on some of the points that the speakers have addressed, and just introduce myself, I'm sorry.  My name is Dima Samaro and Policy Analyst, so thanks again.

So, Mohamed mentioned something about Morocco and Tunisia and North Africa in general and since I'm also working on Middle East and North Africa, we have also noticed that even during this virus special circumstances and the health crisis of COVID‑19, we have noticed that our data is still being collected and being exploited either by public or private sector.  We have seen the deployment of contract tracing apps, for example, or publishing of names and addresses, home address and phone numbers of those infected with COVID, for example.  And this is ‑‑ this is alarming because we need to urgently implement data protection laws in our region, because also of the different contexts that we have and that we can, for example, take the experience of the GDPR and implement some provisions in our laws in the region.

However, we need also to process the special complex of our region and how data protection laws also might be introduced because some of the laws, for example, in Tunisia, when we want to look at the definition of personal data and what it means, the current law, doesn't provide any definition for or any information related to the digital space or Internet ecosystem, so your email address, your ID address, your coordinate is not personal data in the data framework in Tunisia and this is a problematic issue.

Another thing that I wanted to highlight is in general, in the laws and in North Africa, I couldn't find any provision about having the right ‑‑ the right to remedy or any venue for, you know, people if they want the right to conversation when their personal data is being protected, so there is no venue for that whosoever, and this would also leave the door wide open for lack of accountability and there would be no liability, and we need to you can at that about these issues especially in our region.

There are also some other points that I would like to add, but specifically when it comes to having these laws, so we need to have a global effort, but when we look at the laws and how they're being implemented in the region, we can also see that there is a huge discrepancy between the implementation of the law and the text, and so that's why I'm trying to think of ‑‑ (audio dropped).  I'm sorry for the long time.

   >> TIJANI BEN JEMAA:  Thank you.  Thank you.  It was interesting, and I think that you made a very good intervention.  Mohamed, do you want to continue on this?

   >> MOHAMED EL BEKRI:  Yes.  Thank you, Ms. Samaro.  In fact, when it comes to GDPR, what I noticed is that the countries are seeking to comply, to converge.

   >> TIJANI BEN JEMAA:  We don't hear you, Mohamed.  You are muted.

   >> MOHAMED EL BEKRI:  I'm sorry.  Can you hear me now?  I'm sorry.  Can you hear me now?

   >> TIJANI BEN JEMAA:  Now it is okay.

   >> MOHAMED EL BEKRI:  Okay.  Thank you.  In fact, thank you Ms. Samaro for your intervention.  So, when it comes to GDPR, what we noticed in the region is that there is a willingness to comply with the data, with the GDPR.  But the problem it is a very high standard.

Data protection authorities need more resources and the markets and the both public and private sectors need adaptations and need ‑‑ they need awareness to comply to such a very high standard.  So, it is true that some countries are willing to comply but they are lacking resources.

   >> TIJANI BEN JEMAA:  Thank you, Mohamed.  Thank you very much.  Joanna, I heard you, I heard you saying that there is already a framework established.  I have a big problem with that because there is a general, if you want, a general framework but as you know, the GDPR came with specific ‑‑ specific measures to protect the personal data.  This is something that we have of other jurisdictions in the world, and I know in Canada they have a very good regulation but the problem is they don't have fines; and since they don't have fines, nobody will care.  The GDPR put very strong fines that make everyone take care and everyone tried to comply with the GDPR.

   >> JOANNA KULESZA:  Thank you, Tijani.  This is like an introduction for me to respond?  Did I read that correctly?  Thank you.  Yes, indeed.  I agree that the GDPR has made a significant difference, and that difference largely lies in the fact that there is money involved.  And this is one of the reasons that the critics have been complaining about the regime we've had, details in data protection, whereas they had no threat, no one really cared about them and so we could argue that the signs are the very element that made data protection relevant.

GDPR is very specific, but as I already said, it builds on decades of experience, so to Europeans, largely, it is nothing new and we've lived with this for decades and we've adjusted our law accordingly so the European experience might serve, as Mohamed rightly emphasized as an example for other countries whether they want to follow it or not is an interesting discussion.  And I, particularly, enjoy these discussions around the African Region and you have different jurisdictions looking at this from different angles.

Now, you could argue that data protection is the price you might be willing to pay for a certain service.  Now, we've all heard that if a service is free, you are the good that is being sold and you're paying with your data.

Whether this is something the global NGOs or Internet user wants community wants to decide on and comply with remains to be seen that being based in Europe there is no doubt your privacy is the value to be protected and we do it through personal data.  And should that choice be made differently, Europe and different regions look at the U.S. and that's the reason why the Europe and U.S. still cannot agree on what personal data or privacy protection is.  You look at Asia with enhanced surveillance, Africa is about to make that choice of which way they want to go, and so I would say, just to summarize this very brief response, Europe has an experience it's willing to share.  If this is something that other regions want to share, we have specific answers and just to briefly link on Leon's intervention, we have public interest queries.  In for your region, your email is not protected because there is access to public information so it's a comprehensive framework that we offer to the world and where other regions wants to use it is yet to be seen.  I'm going to stop here, but I do have more in F that would be useful.  Thank you very much.

   >> TIJANI BEN JEMAA:  Thank you.  Thank you so much.  The topic of this session is how can we protect the user's data, why we have different and multiple jurisdictions, multiple regulations, and as you know there is a real fight between U.S. and Europe regarding the data protection and a lot of issues with, I think with Google and the other.  And so, I made the question, and I gave a question and I said it is ‑‑ it is a good opportunity ‑‑ it is a good decision to try to make a single, one single jurisdiction for the whole world.  I know that the answer will be it is impossible because the interests are opposite and people ‑‑ that is there is interest here which is not accepted there and so this is the problem, but I know and I think that there is several good principles on which everyone will agree, and so if we start by having these principles and try to build on them, try to make something which is accepted by everyone, even if we don't have everything addressed by this something, it will be in my point of view, at least a beginning, something to begin with.  Leon, yes, please.  Leon?

   >> LEON SANCHEZ:  Thank you very much, Tijani.  I very much agree with what you said, and I agree with what Joanna has posed in the table, there is already a framework that can guide us to try to harmonize the different regulations across jurisdictions.  However, I think that in the same fashion, that it happens with other frameworks that intend to harmonize regulations in different scenarios.  The fact that these frameworks leave the liberty or freedom to national laws to have different approaches to different issues, of course, which is part of each country's sovereignty, poses the real problem here.  Right.  We do have a framework, but we have different approaches.  We have different understandings.  We have different ways of protecting personal data from different sources, and yes, data is very valuable these days and it is an economic part to many economies, but nevertheless, we do need to ‑‑ we do need to protect user’s privacy rights and data protection rights.  And the only way that I see that we could approach this across jurisdictions in the fashion that Internet exchanges and data flows need to be addressed, is by creating this single framework in which we have not only the principles that you were saying but also some base definitions and understandings on how different data may be approached and processed and controlled, et cetera, et cetera.  Otherwise, we will continue to have these differences, and of course we'll continue to face challenges across jurisdictions as a consequence of these different approaches.

   >> TIJANI BEN JEMAA:  Thank you so much, Leon.  Thank you.  Is there any question from the floor?  I am waiting for you.  Do you have, yes, go ahead.

   >> FARZANEH BADII:  Tijani, I just wanted to mention something and I'm sorry if I had to drop off a little bit, but I listened to Joanna and Leon's interventions and I think that there might be a framework for data protection; however, it is not a data protection legal regime that can have an affect globally.  So why am I saying that?  Basically, you can have like various laws in different parts of the world and they can be harmonious.  However, if the laws that ‑‑ if where the major dominant tech corporations are incorporated and subjected to those laws, those laws that actually shape it, why does the GDPR works now?  Why does ICANN have to comply with it?  Obviously, because there is a big chunk of market, and there are many registries and registrars there that, you know, that are affected, as well as it has a transnational ‑‑ it has a transnational mandate.  However, if we come up with ‑‑ if we ‑‑ when I say that we don't have a legal regime, I mean that ‑‑ I mean that when people are affected around the world by the practices and laws of the specific regions and countries, and maybe we should address that, and maybe we should ‑‑ this is not necessarily a bad thing.  However, we need to, if we want to have ‑‑ if we want to globally protect data ‑‑ protect Internet users' data, we need to focus on a global framework that actually can, you know, can like extend and doesn't rely on one national law.  Thank you.

   >> TIJANI BEN JEMAA:  Thank you very much.  Thank you, Farzaneh.

   >> NADIRA AL-ARAJ:  We have a question?

   >> TIJANI BEN JEMAA:  Dima?  Yes.

   >> TIJANI BEN JEMAA:  One moment, please, Dima.  Nadira?

   >> NADIRA AL-ARAJ:  Yeah.  I just want to ‑‑ yeah, this is from ‑‑ excuse me for the spelling, from a participant and I'm sorry for the spelling.  I guess we may select some provision from for personal data protection which is most common across the country and create some basement recommendation or something like this.  On what level and which UN body can elaborate such work?  End of the question.

   >> TIJANI BEN JEMAA:  Is it a question?  I think it is a question.

   >> NADIRA AL-ARAJ:  In the end they're asking about the body of that reflection.

   >> TIJANI BEN JEMAA:  Okay.  Someone to answer it if it is a question?

   >> NADIRA AL-ARAJ:  Go ahead, Joanna.

   >> JOANNA KULESZA:  I'm happy to pick that one up.  Again, I'm fascinating by the discussion and I think it's very useful for us to have it because looking from my perspective, I would say that we actually have quite a few frameworks to choose from.  The GDPR has caught most of the attention because as Tijani rightfully noted, there is money involved.  But the Council of Europe 108, similarly to a treaty that they have produced, the Council of Europe has produced on cybercrime has an interesting spillover effect, and I appreciate the links that were shared to Professor Greenly's work and bases the countries that have unified the laws as far as they've indicated based on the same principles exactly on reach of the Council of Europe and OECD.  I think we have quite a few frameworks we can fall back on.  The GDPR is exactly the same thing that the Council of Europe 108 + Convention does and those two instruments are based on the OECD framework, and so I would be cautious in creating another forum or another instrument that would kind of repeat the same thing.  Trying to answer that question, I would say that we do have the basis.  It could be the UN as you indicate here or the Human Rights Commission, if you will.  We could have places to locate that discussion, and I would however be inclined for us to use the experiences that are already there.  So, they give you a specific answer, the UN Human Rights Commission could look into this, but I would be inclined to go back to the Council of Europe and see the spillover aspect of the Convention that they have provided to the specific framework has had.  Thank you.

   >> TIJANI BEN JEMAA:  Thank you very much, Joanna.  Dima and then Sam.  Dima, please.

  DIMA SAMARO:  Yes.  Hi, again.  Okay, so since now that we are talking about the GDPR and maybe you know like when we want to implement these provisions on different contexts or different versions, so there is more like a question or a comment that I have.  So, for example with customization where you need ‑‑ you know like to collect information to the extent that is needed ‑‑ can you hear me?

   >> TIJANI BEN JEMAA:  I hear you.

  DIMA SAMARO:  Okay.  It says my Internet connection is a bit disrupted.  So, for if we want to have a law for the business model specifically that we are talking about here and since they rely on us, for example, so if we want to have a clear definition or concept for data minimization to collect data to the extent that is needed, but I think there is still a loophole in this definition because at some point they may collect, you know, like the data more than required or more than needed, but it also the data might be important for them, you know, like or for Civil Society even to ‑‑ to be able to identify the bias of the algorithms or AI in general, and so I think the issue is a bit complicated because when we want to have like a global framework for all of those countries, I think this could happen and by now we are seeing, you know, like when new laws are introduced that is following GDPR, it's good, but I don't think it really fits.

So, I think there are some other points or details that we have to discuss when we want to talk about whether we want to have a global approach or effort on this or not.  But I'm happy to see from others what they think about these details.  Thanks.

   >> TIJANI BEN JEMAA:  Thank you, Dima.  It is sure that if we manage to have a global framework, it would be the best.  But the problem is that in my point of view, it would be almost impossible because the interests are really opposite, so this is the issue, in fact, but I think everyone wants to have this global framework regulation.  Thank you, again, and now Sam, please.  Sam?

   >> SAM LANFRANCO:  Okay.  I have to get unmuted.

   >> TIJANI BEN JEMAA:  Go ahead.  No.  Now you are muted.

   >> SAM LANFRANCO:  Okay.  Now.  There we are.  Okay.  Thank you.  Thank you.  Yes.  I want to first endorse what has been said in the past few minutes about the need to build on what we have, and then address Tijani's comment about difficulties.  Difficulties are difficult if you try to reach an agreement on legislation and policies that are to be implemented directly, but there are two points I would like to make.  The universal declaration of human rights did not specify policies, and it specified principles.  And for a global digital citizenship and as that impacts on national digital citizenship, we can work at that level, we can talk about principles.  The GDPR and related stuff is like looking at the problem through a microscope rather than a telescope, and we need to look through a telescope and we need to look forward.

We've been talking about the kind of data that technically was legally private but that the Internet has evaded, but coming down the pipeline with the Cloud, with massive computing, with artificial intelligence, with the Internet of Things, is a tsunamis of data that is not collected under these regulations, and is all tagged to individuals as being used by artificial intelligence algorithms to construct a whole variety of personas of you and me for good, bad, nefarious, commercial, political purposes, and I think at some point, we have to come back to the point that I am a resident of the Internet ecosystem.  I need some citizenship there, I need some rights, and I need some duties.  I mean, I need to know what it is that I shouldn't be doing in principle, and if I get really bad at that, maybe my national government should say, you don't do that anymore.

In terms of international agreements, I would point to the particular multistakeholder organization structure of the international labor organization, and the ILO has to deal with a lot of issues that take place in the seas, in the global seas, working conditions, all kinds of stuff.  Use it as basically a tripartite multistakeholder model and then produces recommendations that go back to become a multilateral agreement.  There are ways in doing that for a century.  We could learn from these processes, so we should learn not just about dealing with the problem but how parallel processes worked elsewhere.  Thank you.

   >> TIJANI BEN JEMAA:  Thank you, Sam.  Thank you very much.  Of course, building on the principles.  We need, as I said before, there are principles on which everyone is agreeing now, but this will not make people have certain regulations or certain law that will solve the problems that happen about data transfer and data use.  It will be ‑‑ it won't solve the problem.  We are constructing on principles, that's good, and I think that there are some ‑‑ there are some principles on which everyone agrees on, so we try first to have these and to agree on them officially, and then try to construct on them because now we don't have something for everyone, and I don't think we will have something for everyone very soon.  Joanna?

   >> JOANNA KULESZA:  Thank you, Tijani.  Just to provide feedback on those interventions.  I agree that the definition of personal data is one of the most ambiguous and contested issues we might have to look into, so this is just a second intervention on the whole scope of data that is used for providing online services within which we would need to define what personal data is and then apply those principles, so this is just to support that.

And I also agree with Leon that we might want to be creative, and I work on international law, and I love the UN and I'm a strong believer in a treaty, and let's get a treater and get it right.  But this might not be the best way to do it for the online environment, so it is about reshaping the multistakeholder model as we have it to better meet those needs as Tijani indicates, the principles that we agree on, and at the same time here in Europe we talk about co‑regulation, and so I hear those same things, it comes down to the ‑‑ like Tijani said, it comes down to the big companies that need to put those principles in their very specific policies, so I just wanted to emphasize, and you guys asked me to talk about Europe so I'm kind of giving the European experience that we've had, and this is just to say as an academic, I strongly support the need to have a more feasible approach, right, one that facilitates the multistakeholder model and gives us a workable response rather than a very rigid and legal framework.  So that was just that.  Thank you very much.

   >> TIJANI BEN JEMAA:  Thank you so much, Joanna.  And I'm sorry that the time is running.  We have to close the session, so thank you all.  Thank you for your participation.  Thank you for your input.  I think that we will the report that will show that we had some agreement on some points, but we still have to find a way to solve this problem because it is not solved and it will not be solved tomorrow.  I would like to thank all the speakers, the five speakers, the two reporters, and I would like to thank particularly Nadira and I give her the floor for the last words.  Nadira?

   >> NADIRA AL-ARAJ:  Thank you.  Yeah.  Thanks, Tijani and thanks, everybody.  And even that it's not my area of specialty, I really gained a lot of knowledge from it, and some of that I have to I a poll guys that the people from the Q&A, I couldn't reply to all of them, and I'll end up here and hope that we have a few minutes for one word from each one of our speakers, I think we can have.  Thank you.

   >> TIJANI BEN JEMAA:  Okay.  So, go ahead we will start with Farzaneh.

   >> FARZANEH BADII:  Yes, so as just like a ‑‑ so my point really was that the laws and are not on their own and jurisdictional indifferences are not on their own bringing data protection to us globally and international framework cannot bring us protection globally if we do not concentrate on where the actual data, where the actual personal data is being affected and by what policies and by what laws, and then we can fix them either through private corporations or through laws, but I don't think an international framework can be an answer now.

   >> TIJANI BEN JEMAA:  Thank you.  Sam?  Sam, please.

   >> SAM LANFRANCO:  Thank you, Tijani.  Just a very short one sentence.  A viable multistakeholder model of bottom‑up helping to educate and both build the policy requires universal Internet access.  Without that substantial portions of the stakeholders are disenfranchised.  Thank you.

   >> TIJANI BEN JEMAA:  Thank you.  Thank you very much.  Leon?

   >> LEON SANCHEZ:  Thank you, Tijani.  Just to say thank you.  Just to say thank you for organizing this session and I think it's been very productive, and of course let's keep the conversation rolling because as I said on the chat, I think approaching this in a multistakeholder way is what we actually forgot to address during the session.  Thanks.

   >> TIJANI BEN JEMAA:  Thank you very much.  Joanna.

   >> JOANNA KULESZA:  Just a thank you from me.  Thank you for setting this up.  Fascinating discussion.  Thank you, everyone.

   >> TIJANI BEN JEMAA:  Thank you, Joanna.  And Mohamed?  Are you still there?  Homo?

   >> MOHAMED EL BEKRI:  Yes.  Yes.  Do you hear me?  Yes.  Thank you.

   >> TIJANI BEN JEMAA:  I hear you.

   >> MOHAMED EL BEKRI:  I think it's not feasible to push toward a binding international instrument.  It will always depend on the specificity.  Thank you very much.

   >> TIJANI BEN JEMAA:  Thank you.  Thank you so much.  We are on top of the hour so the session is over.  Thank you all.  I would like to thank the technical staff from the UN.

   >> NADIRA AL-ARAJ:  And I would like to add, I'm sorry, I'm sorry, the screen capture, if possible, to open your videos who are here, we would appreciate to have a Dima, if possible, to even have our technical staff, ICANN reports, it would be good to have you.  Yeah.  Thank you.  It will be captured.  Thank you.

   >> NATALIA FILINA:  Nadira, I would like to be the photographer today, please smile for me.  We didn't see Farzaneh, unfortunately.

   >> NADIRA AL-ARAJ:  She's in, yeah.

   >> NATALIA FILINA:  Oh, thank you.  Beautiful girls.  So, please, smile for me.  Uh‑huh.  Thank you so much.

   >> NADIRA AL-ARAJ:  Thank you.

   >> TIJANI BEN JEMAA:  Thank you.  Thank you very much.


Contact Information

United Nations
Secretariat of the Internet Governance Forum (IGF)

Villa Le Bocage
Palais des Nations,
CH-1211 Geneva 10

igf [at] un [dot] org
+41 (0) 229 173 411