You are here

IGF 2020 - Day 6 - WS318&182 Discussion on the Protection of Personal Data/Information and Privacy in the Prevention and ‎Control of COVID-19

The following are the outputs of the real-time captioning taken during the virtual Fifteenth Annual Meeting of the Internet Governance Forum (IGF), from 2 to 17 November 2020. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the event, but should not be treated as an authoritative record. 

***

 

 

>> MODERATOR:  We will get started.  Welcome to the IGF forum.  This is the IGF workshop, and our workshop, the theme is the WS #182&318 Discussion on the Protection of Personal Data/Information and Privacy in the Prevention and Control of COVID‑19.  This is cohosted by China internet development foundation and this meeting, this is the Deputy Secretary‑General of the China internet development foundation, and also cybersecurity association of China and later, Mr. Luigi Gambardella will have a speech and Council of Europe, there are experts from Europe also from the consult Europe and others.  We have the First Vice‑Chair of the Committee of the Convention 108 from Council of Europe and we'll host the workshop together.  I must say thank you to all and with the global COVID‑19 social and the economic growth, it has been greatly effected worldwide.  Under this severe situation we are very glad to meet you here online.  I hope that everyone must feel good about this situation because some of you, you have joined this conference in your room, in your home, some of us, we come here in this year I hope that we can share our ideas directly and the ideas, it will give us a chance for the future.

We'll talk about personal data and information and privacy and issues with global attention.

Please, thank you.

>> TAMAR KALDANI:  This pandemic has brought tremendous challenges and many technical inclusions applied to stop the spread of the virus and the diagnoses and the treatment involving personal data, including sensitive health data.  I firmly believe that the data protection, it is not yes or no exercise, even in the crisis, it is how to exercise.  Therefore I'm privileged to co-moderate the discussion with such a distinguished speakers and looking forward to our discussion.

Thank you.

>> MODERATOR: Thank you.  I suggest our speakers say hi to everybody, and maybe waving your hand on screen.  Okay.

Hi.

Thank you.  Thank you, all.  Thank you.  Yeah.

So now let's start our workshop.  Due to the time limit, each speaker, please make sure to finish your speech within 7 minutes so that next speakers have enough time to share their opinions.  Today we're honored to have Mr. Liang Hao with us, Deputy Director General of Bureau of International Cooperation of Cyberspace Administration of China. 

Welcome Mr. Liang Hao.

>> LIANG HAO: Thank you.  Thank you, Professor Li, for inviting me here.

Ladies and gentlemen, it is my pleasure to be here to join you in our IGF workshop.

I would take this opportunity to extend on behalf of the cyberspace administration of China my warm congratulations on the opening of this workshop.

As we speak, COVID‑19 pandemic is posing severe challenges across the world.  It is reshaping how we work, think, live.  In this context, transitioning toward a global digital economy has rapidly accelerated.  Information technology, it has been playing a much critical role in many aspects.  For example, a democratic information sharing, supplies, assistance, telemedicine, et cetera, meanwhile, technology‑based anti-epidemic efforts if built or done incorrectly incurs risk to personal information and privacy, China attaches great importance to protection of basic rights and interests of the people, especially the right to personal information and privacy.  We have stepped up domestic legislature, the cybersecurity law which came into force in 2017 specifies that network operators should set up and optimize protection mechanism of user information.  The civil code adopted this May stipulates how to protect privacy and personal information.  The draft personal information protection law was submitted to the Standing Committee of National People’s Congress for Preliminary Review in this October.

It aims to cement the rights enjoyed by the subjects and further improve relevant legal system.  Protecting personal information and privacy is undoubtedly a global issue and no country is immune.  The world needs truly global solutions, China has put forward the global initiative on data security in this September.  Calling for collective discussions on measures dealing with data security risks as well as concerted actions on global digital governance.  I would like to take this opportunity to make the following three points, first, states need to improve domestic legislature and cross‑border coordination in a bid to establish multitiered personal information protection systems through legislative administrative, judicial and other instruments.  Governments should put a premium on and conduct in depth research in emerging issues facing personal information protection in our era of Big Data.  It is imperative to continuously improve domestic legislature to bring it in line with national conditions.  Governments need to adopt a multipronged approach in a holistic fashion to step up protection.  Our goals are twofold.  One, it is better protection of personal information and privacy, the other, it is to jointly foster sustainable global data governance.

Second, the roles of various actors should be given full play in order to form great synergy, security of personal information has a direct bearing on everyone.  Governments, businesses, technical communities, non‑governmental institutions as well as individuals, states need to facilitate cooperation between public and private sectors, advocate for company self‑discipline and continuously raise public awareness with a view to pulling everyone together for our common cause.

Third, we should further deepen international cooperation in cyberspace and continue to expect the significant roles of global dialogues and platforms in setting up rules on data protection.  States should in the spirit of equality, mutual trust and the win/win cooperation give full play to the UN's main channel role, leverage IGF, APEC, D20 and World Internet Conference and other fora for exchanges and cooperation and facilitate establishing international standards that are in the common interests of international community so as to ensure lawful, orderly, free flow of data.

Ladies and gentlemen, solidarity, cooperation, it is the only way forward.  Let us work together to address the challenges head‑on and build a community with a shared future in cyberspace.

I wish this workshop a complete success.  Thank you, all.

>> TAMAR KALDANI: Thank you for the interesting messages and because time is limited, we want to have all participants ask questions at the end.

Let me present with great pleasure our next speaker, Mr. Jennifer Kleijssen, Director of the Information Society and Action Against Crime at the Council of Europe. 

Please, the floor is yours.

>> JENNIFER KLEIJSSEN: Thank you very much, Tamar.

Thank you very much to the IGF team and all participants for your readiness and commitment to meet under these very difficult circumstances on such an important issue as the protection of personal data and the fight against COVID‑19.  I would like to thank in particular also our partners from China and from France in organizing this event, this workshop.

I'm happy to represent the Council of Europe at this meeting, an organization made up of 47 European Member States, but whose standards have reached far beyond the limits of Europe.  We're very proud to have elaborated convention 108, which is now 55 state parties and some 25 observers, and in our Convention, as most of you all know, it remains to this date the only internationally legally binding instrument on data protection enabling an active engagement from Member States all around the world on this important topic and on the challenges that are facing us, even more so in the light of the COVID‑19 crisis, of course.

In April, this year, in order to prevent ‑‑ to present our Member States with some guidance as to how to address the crisis, the Secretary‑General of the Council of Europe issued a toolkit which was called respecting democracy, rule of law and Human Rights in the framework of the COVID‑19 crisis.  In this toolkit, a number of data protection issues were underlined.  Since then, the Chair of the Committee 108, you know, the convention 108, it is looked after, it is implemented through notably a Committee of national experts, the TPD, and it published ‑‑ it has published several statements on how this convention, our convention, can be best used in the context of COVID‑19.  The main message is about the general rules and principles of data protection are fully reconciled without the fundamental Rights of the public interests notably the right to public health, this Convention is perfectly enabling governments all around the world to address the COVID‑19 crisis while respecting the rights to privacy, data protection set out in Convention 108.

In October, so very recently, beginning of October 12, 12 October, we issued a report setting out how states are doing this.  We showcased Best Practice developed by some Member States such as use of privacy, impact assessments, prior to taking measures to fight COVID‑19, privacy by design principles implemented by a number of parties in order to best address the issues relating to the current crisis, and we also highlighted a number of measures that pros problems such as mandatory use of contact tracing apps and measures with the State of emergency with timeliness.  There are many speakers after me, I will refer you here to the summary of the report, and I'm sure the link will be made available which makes two recommendations with which I would like to finish.  The first is to take in mind that this crisis, it will be over at some point and hopefully it will be over as soon as possible.  The measures taken by government, they might last and it is important to ensure that the exceptional measures taken by governments, it must be provided by law, must be respecting Human Rights and freedoms and must be necessary and proportionate in a democratic society.

Secondly, it is clear that the manner in which the health crisis has to be addressed needs to be addressed and make it is clear that data protection principles remain fundamental for effective functioning of democracies and our capacity to react promptly to the new challenges without undermining our core values, without putting our societies at a greater risk in the future will be the test that we have to meet.

On this basis, I wish you a successful meeting and look forward to the discussions.

Thank you so much.

>> YUXIAO LI: Thank you very much for your comments.

Now let's welcome Mr. Peng Feng, Deputy Secretary‑General of China internet development foundation.

One of our organizers of this workshop.

>> PENG FENG: Distinguished guests, participants online, ladies and gentlemen, good evening.  I'm very honored to participate in this forum as an organizer on behalf of China internet development foundation.  I would like to express our warmest welcome to all of the participants.  Our foundation is a public place and a public purposed social organization from the internet area, and since its inception, we have been focusing on the development of the internet with money and people power to promote the development of the internet and cybersecurity development.  In particular, we're committed to the cooperation of international partners so that the internet can benefit billions in the world, and COVID‑19 has put the world to test.  A lot of international meetings have had to be canceled or postponed against such backgrounds it is gratifying that we can hold this forum on time and this shows the benefits of promoting the development of the internet and IT technology, we know that with the rapid growth of the internet where we're enjoying the benefits of the internet, we're also suffering the challenge of the internet especially the leakage of personal data and privacy and it is now an urgent issue to effectively protect personal data and privacy. 

In 2019 China's cybersecurity promotion week, Chinese President had said that cybersecurity is for the people and by the people and it is important that we protect peoples' information, security, the rights and interests of people in cyberspace.  This has provided important guidelines for protecting personal data.  How can we improve people's sense of fulfillment, happiness, the security in cyberspace?  China is actively promoting the building of global internet governance system and to build a shared community in cyberspace, we have developed Chinese experience and attributed to the Chinese solutions in recent years and the China development.

The China Internet Foundation has actively participated in international governance in cyberspace and it is the 11th and 14th UN IGF forum.  We hosted workshops last year, and we hosted China, Europe, data security and personal information protection workshop to promote international exchange and this year, COVID‑19 has made ITU's personal data protection a focus of the world again and there is the epidemic.  China used internet technology and made a victory over the disease and we're also trying our best to help the rest of the world to show the possibility of China as someone participating in the epidemic control. 

I feel that on the one hand, it is key to leverage internet information technology, although COVID‑19 has affected our life and the production, however we see that the internet and the IT technology has played a unique, important role.  For example, distance, medical treatment, it has helped us with prevention control epidemic, the online supermarket and classroom has helped with our lifestyle and live stream commerce and eCommerce, it has helped economies to recover. 

In China, we didn't lose hope, and we launched a new way of life and work and study, and on the other hand, it is urgent that we're protecting the personal data and privacy because we use such apps as healthy codes.  We have been able to support a resumption of work on the production, but at the same time, there is a risk of abuse and leakage of personal information so data security has become a hot topic in order to answer people's concerns, the Chinese government has taken measures to find the balance between the use of information and the protection of information and the next steps, we'll continue to adopt measures to protect personal data and privacy in terms of data technology platforms and regulations so that people can be assured.

Ladies and gentlemen, friends, now global pandemic, it still is serious, more and more countries and people have realized that we share the same future and in front of common enemies we must be united to overcome the difficult times, we just alluded to the fifth Plenary session of the 19CTC Congress made plans for China's 45 year plan and we're going to start a new journey of building a socialistic modern company and this plan tells us we have to accelerate the building of cyberspace governance system, cybersecurity system and accelerate the protection of personal data and to build a global cooperation in cyberspace.

In the future, our foundation will continue to pay attention to data security personal information privacy protection so that we can better utilize or grow as a social organization and to promote the building of international consensus on personal data and privacy protection and we'll welcome exchange and cooperation with all relevant institutions so that we can all contribute to global digital development and building of the cyberspace community of shared future.

I wish this forum a row sounding success.

Thank you.

>> TAMAR KALDANI: Thank you for the initial intervention, thank you.  I'm sure during the Q&A session we'll have a chance to discuss in details.

Now let me introduce Dr. Stephanie Perrin, President of digital discretion, Canada privacy and information management consulting company and Chair of Non‑Commercial Stakeholder Group with extensive experience in data protection.  Please, Stephanie, the floor is yours.

>> STEPHANIE PERRIN: Thank you very much.  I'm now the former Chair.  I would like to give you a personal perspective on the work that I am doing pro bono on the specific COVID applications, and the first one, it is an example on data limitation, it is not always necessary to use IT for simple applications.  I volunteer as a privacy officer for the Anglican church of Canada, on the Ottawa and the municipalities asked the churches to enable contact tracing through con graciousness just because there have been vectors coming from church attendant, sectors of disease, we're using a clip board managed by the greeter at the door, that piece of paper goes with the name, address, phone numbers in a locked file be cabinet and will be destroyed after a month, that's a pretty easy solution to the data protection issue there.

My second application is much more complex.  This is the COVID tracing app for cellphones which has been developed by my former colleagues at industry Canada,, this is a federal government initiative done jointly with Ontario and is now available for free download across the country.  They have had both the federal and the Net Neutrality privacy commissioners review the application they did ‑‑ and that was shared then with provincial privacy commissioners, and they did a privacy impact assessment on the application itself, they have taken measures to escape random identity to use random codes and to make sure that the IP address is secured out of main traffic, not on the portal and destroyed after three months, that's security measure that maintains privacy because as we know, IP address can be considered personal information and leads to you the identity of the individual.  They have established an advisory council for oversight and that council includes a colleague from the Canadian civil liberty Union who have been quite critical of the whole concept of using cellphones for COVID pandemic tracing because of the implications of broader surveillance.

The portal, it is not available online but other materials are available online.  There was a commitment to ongoing row view by the privacy commissioner to ensure that the data management practices are being followed, this is a good application, pretty good example of building privacy in at the ground floor and my lingering concern that I'm sure that the privacy commissioners will be watching for, it is ‑‑ I have two, the phone tracing, in other words will this be the start of more phone tracing, and secondarily, they have already raised this issue, this is voluntary, it may be that employers and entities may insist on this, employers looking for employees to be tracked.

That is something to keep an eye on n is subject to both the privacy act and in the private sector, the privacy legislation.

Now my next example, it is indeed quite a bit more complex, I volunteer with Palantir Technologies on the Privacy and Disabilities Advisory Council, and that council meets regularly to interrogate the use of the company's privacy by design thinking in developing products and application.  If you're not familiar with Palantir, they are powerful artificial intelligence technology and software and they have made their phone dry technology and they have made their technology available to governments to help and battle in the coronavirus.  We have looked at some applications in providing the critique, the council is comprised of people with a career in data protection several things are brought out in white papers and in the public information that's been made available on this.  The first key thing is transparency accountability and proportionately in all data use.  These are overarching principles of data protection and they're imperative in the COVID application, citizens are not going to share data without trust and that will impact the disease spread.

In this, data governance is key.

Here are a few applications here.  In terms of outbreak prediction, supply management ‑‑ in other words, personal protective equipment, testing materials, beds in hospitals, personnel, this is all dependent on timely outbreak prediction and monitoring.  There are several risks, the data quality varies in all of these supply chains and it doesn't require personal data so data aggregation can be used and there's of course always a risk with data aggregation in variant data quality, data reidentification and lack of sound data governance, I will speak to sound data governance later.  In terms of COVID contact tracing, there is a need to know principle, it needs to be incorporated in the actual contact tracing, not everyone needs to know the personal identity or any of the personal data.  Quarantine monitoring and immunity passports, that's another application where data, rich data has been implicated.  There is serious risks of civil liberty infringement, racial or socioeconomic profiling, differential enforcement of pandemic extraordinary powers when it comes to quarantine monitoring, who is being quarantined, for how long, how much do we trust them, those kinds of questions arise.

Sound data governance, it is required here to ensure fairness and equity and no intrusion into civil liberties., but as required by pandemic legislation which most countries have in place when they need it.

The mitigations for governance issues, Palantir listed an overview of technical controls they consider essential for facilitating the sound data governance practices and agree with these and these with be built in in a privacy by design fashion.  First, it is discovering classification, the ability to find and differentiate between different types of data, not always present, you think it would, but it isn't, dynamic data minimization, limiting access to sensitive data, sensitive databased on the legitimate need and purpose of processing.  That's present in the law, not always built into the systems that provide access and that's a critical component.  Prompts and notifications, encouraging the appropriate use and accountability of data handling by enforcing additional controls prior to users accessing sensitive data and applications, it is really a subset of the earlier dynamic data minimization.

Auditing, facilitating oversight by maintaining a comprehensive overview of processing operations, retention, making data irreversibly irretrievable when the processing purpose has expired, obviously, it always in law has been for 50 years, but not always built into systems and not always easy to do in busy organizations.  I would like to note, finally here, that the effectiveness of data governance controls is largely dependent on the presence of some kind of independent oversight, usually in the form of a data commissioner or an independent oversight body, this is difficult to enforce if you're a private sector company dealing with clients.  This is where data protection authorities are really imperative to have a look in at what's going on, I must say that a civil liberty oversight board we have seen in Canada, in the COVID‑19 tracing app, that can also be helpful.

I believe I have remained in the 7 minutes, that's quick trot through three applications.

Thank you.

>> YUXIAO LI: If we're looking at personal data and privacy hat, we can try this, and now let's welcome Mr. Luigi Gambardella, President of ChinaEU, it is also one of our organizers of this workshop.

Please.

>> LUIGI GAMBARDELLA: Let me start with a very good news, just published in fact, I was looking at mobile, one of the biggest farm industry here, it announced COVID‑19, this is 90% effective, and this is great news for all of us and I see this news, it is spreading all over the world.  We will follow the next steps.

Let me start.  The first government lockdowns were announced in Europe in the spring of this year.  The debate on how to combine the respect to data privacy with the collection of data critical for the management of a public emergency was fast forwarded.  The debate, it was catalyzed by the often opposing views on the design and adoption of tracing apps.  In several European countries, the introduction, it was marked by public opposition, fearing that public health objectives were invoked to encroach an individual's private rights and a growing chorus of voices in the media, social media, began to question safeguards on the protections of the fundamental rights to privacy in the interest of a full, effective public health response especially when the case numbers were exploding in Europe why China seems to have successfully flattened the curve, there is much more resistance to defend the sanctity of data privacy in the face of such an acute crisis.

Sooner or later, the debate would have cleared up.  What was inevitably going to happen only happened on accelerated timetable.  From an internet governance and data privacy point of view, the outcome of the debate today does not seem very satisfactory, years of conference, speeches about the very high bounds set by Europe when it comes to account protection have convened to the European citizen that their data belongs to them individually, not to their government.  The GDPR, the knowledge delegations from these delegations, they must always be strictly required, temporary and proportionately.  The burden of proof is put on the health authorities that there is no less intrusive of a way than the one they propose to protect public health.  Therefore, when European governments sought cooperation of mobile operators to monitor the compliance with the lock dine social distancing measures on a greater basis, there was a public opinion backlash with many countries, while initially government envisaged making apps mandatory to better break the infections when they became apparent, the idea, it was dropped following the initial reaction against mobile operators and sharing location data with the public authorities.

In addition, apps based on localization has to be accountable.  Local internet right defenders rolled out the European policymaker would be granted the ability to track the location data of millions of citizens, and the main argument, it was that for governments having access to the personal data of its citizen may make this valid.  Implementing effectively tracing apps and other interactive tools usage to fight the virus strengthened.  How could we find a better balance between data privacy and handling in situation of crisis, the issue, it is not to design an ideal app that the public should sacrifice the protection of the personal data to some higher goods, specialists, experts, may agree on the perfect system.  The root of the problem is not a technical issue, but an issue of trust.  Trust building, it is a patient exercise.  Yes.  Application implying the processing of personal data, information that's been truly discussed between stakeholders such as Civil Society, developers, industry government, data protection authority, they will more easily be trusted than government‑driven applications.  If the government policy, to tackle COVID, if it is perceived as unclear, inconsistent, the European public will lose trust in the capacity of the national government to handle the crisis, this mistrust is still over 20 applications.  In such circumstances, initiative from NGO backed by the national data protection authority would see the most appropriate way forward, however DPAs, having all Member States well defined portfolio tasks and are not starting working with NGO such problem.  In a forward looking perspective, the mandate of the data protection authority should have been reviewed to enable the cooperation in cases of emergency, even if upstream of enforcement of the GDPR and oxygens could be that if the data protection authority cooperates to the design or tracing app that it would in the next stage be bared by the ‑‑ in case of compliance for breaches of the GDPR by this app.

My take is that the objection, it is not valid because in any case, the data protection authority, it would apply the same criteria to adjudicate complaints that's in the cooperation upstream.

Time is passing.

Another government issue is apparent.  How do we get our population online.

What is using a tracing app that the high risk population, above 70, they don't use a smartphone or only use it is to talk and reading.  Where this regulation is often stressful in these circumstances, it appears that it is a very vulnerable target for phishing and other criminal practice, keeping elderly users safe online, it is one of the most complex and difficult to other challenges.

Some European governments engaged with the technical community during this COVID‑19 period to find ways to mitigate that.  However, the success of any policy will depend on the channels available to communicate with the population at risk which are often very limited given the regulation of the elderly people in the European Member States.

My final point relates to the future of governance, until this year, the concept of this was linked to physical consultation meeting, interaction here, it is very different, and this year, physical meetings, allowed NGO representative to establish a new relationship and to further deepen, nonetheless during coffee breaks in the meeting.  There is no new normal where social interaction is limited and travel restriction, it will have repercussion in the current internet governance model. 

Thank you very much.

>> TAMAR KALDANI: As a former data protection commissioner, I took many issues, but I would now ask Eduardo Bertoni to address several points in the discussion that Luigi Gambardella made.  I think this is very important to really address.

Let me now present our next speaker, this is Ricky Rakesh, faculty and researcher on data privacy and protection, he was actively engaged in drafting data protection in India.  I'm grateful to have a chance to present Ricky.

Please.

>> RICKY RAKESH: Thank you.  I hope I'm audible to everyone.  This is a long way from India, Britain, greetings to everyone across the globe.

I enjoyed listening to a lot of points which fellows, guest, speakers brought out, and I think they're nothing in the sum of privacy is left, and technically at one point, we will compare notes, we have covered a lot of things.

What I have really wanted to draw attention without being politically bias, something from privacy world, which will be a problem, so a bit of background, I do help a lot of countries in writing the privacy framework and from a policy standpoint of view, I'm active in the Middle East and if you look at the whole system right now, the way that the Middle East and the rest of the privacy, it is very different, unlike other countries, Middle East don't follow a traditional Constitutional model, they don't have fundamental rights listed on a previous document, they don't have a central Human Rights document that will be the arch pillar for privacy principles.

If you look at a lot of other countries, they have a history of, you know, of a Constitutional remedy available to them and they try to piggy back on the privacy, that's happened in India, you know, the honorable Supreme Court of India, they made a 9‑1‑1 right and said, okay, since privacy is a fundamental right, we should mobilize or make some additional measures by virtual that we can really help them to strengthen the enforceability of that fundamental right and let's say how does a big IT giant in India, dependent on IT really get into a way to protect themselves from privacy issues.

There are two things that I want to understand as I mentioned, one is capacity building.  I think in a way everyone touched it and I think the honorable group from China covered the same point, no matter the country, small or big, you find a lot of challenges when you try to enforce privacy.  It is something that's happening in COVID, it will happen when tomorrow ‑‑ tomorrow it will be X or something other thing, we can't really know what's there in the realm of the future.  Essentially, any set of audience, in a country where you have linguistic challenges ‑‑ Europe is an example of that ‑‑ you can't overcome the cookie‑cutter approach to try to solve everything, India certainly is another example where you have so much of contrast in the literacy level, you don't have English as a first language for most of them, you don't have everyone at a basic baseline level of education, you don't have the same level of computer awareness with most of the people.  Now, with those kinds of challenges, what we're seeing right now in India, the most comparable thing is security, security came in 15 years back in the industry and I'm talking the traditional cybersecurity and when things really bumped up from antivirus to really high input system, if you look right now, the ecosystem, it is still struggling to find good professionals who can really give you good advice and could really help to you mitigate privacy issues.

We're not even talking about the deep down issues of AI, all of the medical worlds, we're talking about the general privacy issues.  That's the same thing that will happen with the privacy world, China, India, you know, anyone with a new privacy law.

How ready they are, with the kind of resources they need to support that.  How much government is really injecting time and money to make sure that you have the mechanism, you have the machinery that will provide you enough skills, with people that can manage it.  That's number one.

Number two, in terms of enforceability of privacy, of use cases, you will have to really think about scenarios where ‑‑ that's my son, you know, he wants me ‑‑ in terms of privacy‑use cases, you know, you have to also think that two countries, you know, they can certainly rely on basic privacy paradigm, as a result, I can tell you, everything across the globe is not same.  You cannot measure them with the same approach.  When GDPR came in, it is a popular saying in the west, when GDP came in, it sucked up all of the oxygen of privacy across the globe.  It was a hot topic.  The way I call it GDPR, it is ‑‑ an uncle in the family, everybody tries to compare them U know, Harvard, well educated, everybody in the world they compare it to GDPR, that's a good thing.  If we're doing it from an academic point of view, but then you have to really think about that Europe has a history of 50 plus odd year where is they have involved privacy from 108 to the GDPR, not many countries will have that privilege, not many countries have that history for privacy..

Many countries don't that that appreciation, they have other issues striking them hard.

The point I want to draw based on the research we have, done, when you try to create a privacy program, an establishment, the mechanism that you want to erect for the privacy, you have to make sure, you try to give your own country or your own requirements first preference, don't just baseline things because, you know, you're reading a fancy white paper, you know, from someone that works in Paris, things are very different in Paris compared to Beijing, things are different compared to other area, and we have to be really committed to this work.

Capacity building, comparables, the requirement of your own, it is only ‑‑ I think it is the only way privacy programs are still sustainable and it will be really something to work on.  I just want to conclude with the final remark, you know, we completed a recent study and that's the most important thing, which is also highlighting a kind of issue that many African countries face with privacy, you will find in Brazil, elsewhere, a country with other primary issues on privacy, a certain number of them, right, you go to India, you go to a shopping mall, Stephanie, you know, give me your family information, I will give you a coupon of 50%, there is a high chance in the end, they have a handful of data, it takes personal information over the requirements.  That kind of information, you have to invest ‑‑ you have to invest high on the education of use cases, and often people don't understand what will happen if the data is in the wrong hand.

Everyone has heard about that, about the crude oil contamination, the people, they really tried to stop, okay, is the crude oil, it should not spill in the sea, when it is there, then the bigger problem is that now, let's see how much harm it will really do to the marine life and how do we recover it?  Unfortunately, there is no right way to recover it.  If you look at the privacy program, not around the globe but according to your own people, your own need, economy, and the way you want to shape the next 20 years, privacy will slowly grow.  It has to grow organic, that's the point.  It has to grow organic, you can't inject it, fast pace it, if you try to do it, people will only give you one chance.  If you lose it, the game is over.

That, I think, I rest my case.

Thank you very much.

>> YUXIAO LI: Thank you.  I hope your son is okay!.

I thank you for sharing about a very important thought.

For the privacy protection divide across the world, it exists, and each country must look for the right way to protect that data and the privacy and there are principles and rules to fit their requirements.

And now I want to welcome Mr. Fang Yu from Director of Cyberlaw Research Center, China Academy of Information and Communications Technology.

>> FANG YU: It is my pleasure, honor, to be here with you in the forum.

Today I want to discuss issues about protection of personal data when facing public health crisis.  As we all know, Big Data has played a key role in accurate positioning analysis and prediction of COVID‑19 which also highlights the contradiction between public interest and individual interests.  I want to discuss how the government can ensure safe and reasonable use of the personal data of relevant people applying Big Data in a pandemic.  My speech is divided into three parts, including how to protect personal data in the prevention and control of COVID‑19, international experience and some thoughts and suggestions.  Now let's start with the first part, how to protect personal data in the prevention and control of COVID‑19.  The priority of public interest, it is a legal principle to weigh the use and protection of data in the context of conflicts between interests, how to balance it in the prevention and control of pandemic, largely depends on the principle of proportionately, that is comparing public needs or interests with the degree of Delegation of Individual interests to find a rhythm or balance.  First of all, the use of personal data is based on the premise of informing the private interest on personal data.  Then we can further seek the balance between personal and public interest which is a way to protect and use personal data at the same time.

Secondly, only when the protection of personal data in dangerous, public security can personal interests be restricted on the grounds of protecting property security.

Finally, according to the principle of proportionately, it is necessary to infringe another legal interest in order to protect one legal interest, it is prohibitive to accept the extent necessary to achieve this purpose.  That is when individual interests gives way to the public interests following that, the damage to individual interests, it needs to be limited to a reasonable level.

The second part, it deals with the practices of E.U. and the U.S., according to E.U. general data protection regulation, it is a lot to process personal data for public interest without the concept of the data subject in order to analyze infection diseases and to make early warning.  On March 19, the prone data protection board adopted a statement on the processing of personal data in the context of the COVID‑19, pointing out that data protection within GDPR, it does not hinder measures taken in the fight against the coroner pandemic, however the data controller and the processer must ensure the protection of personal data.

In the U.S., the Health Insurance Profitability and the Accountability Act of 1996 permits the use and disclosure of protected health data without any individuals, including public health activities, oversight activities, safety risk reduction and so on.

Finally, I would like to talk about some of my thoughts and suggestions, in emergencies such as an democratic occur, we should follow the principle of reasonableness and compliance strictly and prudently use the personal data, closely focus on the purpose of epidemic prevention and control and hinder the relationship between public interests and the individual interests to achieve a balance. 

First, when personal data is collected and used tore the purpose of prevention and control of pandemic, the scope of data controllers can be extended and the principle of informed consent can be exempted from laws to make the convention on personal data more convenient. 

The second, it is to strengthen the security awareness of the data controller or the data processer.  In the process of personal data collection, if the collection agency adopts the paper‑prepared forms to conduct investigations it needs to be guaranteed that the paper is not to be photographed or copied, if the relevant data is recorded electronically, it needs to be restored in a safe manner and encrypted.  Third, to clarify the norms for the sharing and use of personal data and any data that can identify individuals cannot be directly shared and disclosed and anonymity should be used in advance and it is necessary to eliminate the personal disclosure, only the gender date of diagnosis and area of the confirmed patient can be disclosed to satisfy the public's right to know the epidemic data and it is not necessary to disclose all of the detailed personal data of the patient.  The fourth, if the requirements of the public health crisis, the timely, adequate, the proper handling of personal data collected, it is also an important part of personal data protection when the pandemic, all parties should destroy or anonymized the personal of data in time and that should be happening reasonably with the sensitivity of personal data.  And the public needs to handle this to adopt measures that are appropriate so as to build a personal protection and a utilization system in emergencies.

That's all my sharing.

Thank you for listening.

Thank you.

>> TAMAR KALDANI: Thank you for highlighting the important data protection principles, we want the audience to be as engaged as possible.  Please use the box for Q&As.

Now let me introduce Francesca Musiani, researcher at French National Center for Scientific Research and Deputy Director of the Center for Internet and Society.

Please.

>> FRANCESCA MUSIANI: Thank you for inviting me to this panel.

When it comes to ‑‑ I thought I would provide sort of a national perspective on France, and not just an institutional one, because we have talked a lot about policies and the institutions that are working on them.  It is very important.  But also the ways in which privacy and data protection related issue, when it comes to COVID‑19 has been perceived and managed by citizens because France is pretty interesting example in this regard and quite different with respect to other national contexts so actually for a lot of French people, the two words coronavirus and technology have also become very closely associated with a third, that is to say resistance because ever since there's started to be discussions concerning the applications of COVID, for example, there have been several attempts by the French government to deploy digital technologies in order to monitor aspects of the population's activities, the movement, contacts, habits, and this has met with a fair amount of resistance from citizens and with several warnings coming from agencies tasked with protecting citizen rights that have been worried about the potential of excessive surveillance and the associated privacy risks and for several months a central point of debate is this application, which is the contact tracing act which works in the same way for example as a Singapore's trace together and others, this is controversial since first announced in mid-March and the problem, identified problem is especially the possible threats to privacy.  There were points of debate concerning for example whether the app would be able to access and collect individual data or other data that's not directly identifying a person although we do know that the total organization of the internet, it is very difficult to actually achieve, and other issues that were discussed, they would be for example if eventual follow‑up to alerts would be based on voluntary action of the concerned person or from a third party.

For all of the debate points, there is since then a limited number of downloads and even less so of notifications via the application which the press has said this is a disaster for the government.

Another point of controversy, privacy related controversy that's perhaps less known, the use of drones by French police to monitor public activity during the pandemic.  Following a complaint by the French Human Rights League to the Francis' highest level court, the state council ruled that drones would be banned until appropriately yielded basis for their deployment could be established or until they're adapted so that individuals filmed by the cameras mounted on the drones could actually not be directly identified.

It is interesting to underline that as with the COVID app, the main question, the privacy‑related and data protected related question here was if specific surveillance and data processing initiatives are authorized in a State of urgency when and how would the country be able to revert back to the rights that citizens enjoyed prepandemic.

Perhaps resistance to the data related technology has been particularly vocal in France because the pandemic has happened in a particular historical moment when other stuff was happening, including what is arguably a new low for citizens trust in politics, it was following the unrest and along the strikes of the public transport workers and secondly, perhaps France has a long history of actors that are very alert to these issue, both when it comes to NGOs and other Civil Society organizations and it is the French privacy commission, it is very active agency ever since the reactions to the public project which is the first large scale attempt by the government to create a centralized database of personal data, it has led to the creation now more than 40 years ago.  The French Data Protection Commission has proved to be an observer of the potential misuses and abuses of digital tools so it was almost natural that during the COVID pandemic it was no exception.

Where are we now?  It is ‑‑ all glances, they're geared towards the new version of the application, it is ‑‑ it has been presented in a very interesting manner because it is no longer supposed to be a contact tracing app, but one of the many components of the government strategy to not only protect, but to inform, so it is supposed to have an important function of providing more largely information on the current state of the pandemic and in the role of the citizen.  It is part of what the government has repeatedly designed as a strategy towards citizens, and at the same time it is obviously meant to minimize the more surveillance‑related content tracing related aspects of the application.

So just to conclude, I wanted to point to interesting publications that either have already come out or are coming out, the first one, it is data justice and the global perspective, I have the link in the chat, it is coming out, open access, a couple of months ago, at the end of the summer, and it is a very interesting example of the report and the transversal comments about how issues of data, technology, COVID‑19 have played out in a number of countries.  I guess it would be a good resource for several participants to this page for whoever is interested and is a French speaker, I don't think it is available in English as well, here is the presentation of the new con be tact tracing app and the rest, the application in France.

Thank you very much.  I'm available to take any questions.

>> YUXIAO LI: Thank you very much for your speech.  I hope that we'll read that in France or English version.  It would be good to have an English version.

Let's welcome Mr. Wang Lei, senior counsel of Sina Group to share his speech.

Please.

>> WANG LEI: Thank you.

It is my honor to be here to share my opinions in this forum, about the prevention and control of COVID‑19 in digital prevention. 

Here is my presentation and there are four parts, the first one, the necessity and possessing personal information in the COVID treatment and the second, it is the practice and the digital prevention and control that was in the process of COVID‑19 prevention, and next, it is the obligation to protect personal information in the digital academic programs and control and the fourth is the conclusion.

As we know, since the outbreak, since the outbreak of new coronavirus impacts and digital academic prevention and control has provided accurate, timely, comprehensive statistics of personal information during the academic period and here we have the necessity and the particularly of the personal information, because the digital academic prevention and the control has the advantage of being timely and comprehensive and you can process personal information in the process of academic prevention and control, the technical support for the adjustment of the academic situation and the high efficiency of digital prevention and the control demonstrates the necessity of the exploring of a new mode of emergency response in the digital area.

As we know, the obligation ‑‑ sorry.  My presentation has went past the second part.  The practice of digital prevention and the control in the process of COVID prevention, Big Data has become a powerful assistant for the academic control.  At present, it is particularly important to use cloud compute, Big Data, other technologies for detailed data and analyses which can effectively help the government to make scientific decisions.  According to the state counsels note on the scientific and accurate prevention and the control of COVID‑19 in February 25th, 2020 house code is the legal certificate for the administrative organ to comprehensively look at the personal health risk level and obtain the clarification to the return to work.

Here is the obligation to protect personal information in the digital academic prevention and control.  As we know, how to risk the scale between the disclosure and the protection, to find the appropriate balance between academic prevention and control, it has become the focus of social concern and it is true that the academic prevention and control needs the connection and the utilization and even parts of disclosure of personal information from government to enterprise, even to individuals, all of them should play an important role about the obligation to protect personal information.

Here, government departments collect and published the information related to the email according to their legal responsibilities and monitoring the academic situation with the emergency response and the Article of the regulations, the emergency response to public health emergencies and other regulations.

Enterprise organizations, individuals undertake the obligation of information reporting and use the data to support academic prevention and control with three steps, information, first one, information directly related to the academic situation shall be reported to the competent authorities and shall not be subject to the personal information protection rules.

The second, data processing, in accordance with the requirements in trusted contact shall now exit the relevant responsibility and the authority of the competent departments and shall not be limited by the personal information protection groups and the third, the independent analysis and utilization of the user data for the development of products and services related to academic prevention and control to fulfill their obligations of personal information protection and their normal circumstance.

The role of digital prevention, it shows that there is a social media platform that's set up an anti‑ COVID in the social media platform cooperating with the media, the government medical situations, institutions and the medical staff, and we were also actively fulfilling the main responsibility of enterprises and will deal with the content and the behavior of fabricating and looking at the fake news and the regional discrimination, in recent year, China has actively promoted the legislation and the practice of personal information protection, the personal protection system has been constantly improved and the law enforcement in key areas has been significantly strengthened.

My conclusion, the information collection, it is the proper meaning of the ding digital economy era and data is a strong driving force for the development of the virus views of society and it is necessary to clarify the rules of data utilization in spite of scenarios such as public events and how emergency events in the form of this.

Thank you.  Thank you.

>> TAMAR KALDANI: Thank you for your intervention.  Time is running out.

Let me present the next speaker, T. George‑Maria Tyendewza, head of Cybercrime Prosecution Unit in Nigeria.

George, please, the floor is yours.

>> T. GEORGE-MARIA TYENDEZWA: Hello.  Good day.

With respect to data protection and privacy, I'm just going to speak from the perspective of law enforcement.  Several of the speakers have already outlined a lot of the principles that we all agree need to be followed.  We're basically looking and sharing as we seek to counter the pandemic, and we also must respect the privacy rights of individuals.

An interesting aspect to this, for us, Nigeria has been how we have had to deal with collection of personal information as it relates also to the upsurge, the rise in online criminal activity.

While we have actively sought to engage and respect the privacy of our citizens and residents generally, because this is a Constitutional requirement, we have found that it is quite challenging for law enforcement to deal with the deluge of reports and complaints that came in in the wake of the pandemic because we saw a certain rise in phishing scams related to the pandemic.  There were phishing scams related to government interventions and Civil Society interventions aimed at alleviating some of the challenges posed by the lockdown so in the cost of that, the key thing, we have to deal with it, it is how we balance out the need to respect the principles for data processing as well as the need for law enforcement to get the requisite information to enable it and differentiate first of all between the people who are actually patients and people who may be in danger in terms of contact tracing and then those people that were hiding behind the situation created by the pandemic to perpetuate crimes.  This was a major issue.

We looked within the legal framework, the national health act of 2014 which essentially required that personal data should be anonymized and all of that, but you know from law enforcement perspective, when you anatomize information, it then make it is difficult, if not impossible for law enforcement to get to the perpetuators of the online came that were taking place.  This is a major dilemma that (for audio).

>> We cannot hear you anymore.

>> T. GEORGE-MARIA TYENDEZWA: I wanted to share.

Doing this, it is a balance, it is basically a balance of provisions relating to data protection and the needs of law enforcement, of course, it is essential to state that at all times it is ‑‑ one needs to take into cognizance the overriding public interest and this is not just about keeping information ‑‑ keeping the personal information of citizens and residents within the bounds, but also making sure that we find that thin line that enables law enforcement to actually carry out their work effectively.

I think by and large, this is the angle that I want to bring to this discussion.

Of course, the need for even the technical solutions being deployed to find a way to be deployed in such a way that this balance is maintained.  I would say that that's the main ‑‑ that that would be the main point of discussion at this point.   

Thank you.

>> YUXIAO LI: Thank you very much, George.

Thank you to our guest speakers again for your brilliant sharing.

Next, we will proceed to the discussion section and for the time reason, I hope everyone can control your time.

First of all, let's invite Ms. Wang Li, researcher at the Xi’An, Jiaotong University Suzhou Academy of Information Security.

If you have comments, please put them in the discussion area and we'll choose several to discuss.

>> WANG LI: Thank you for giving me a chance to join this discussion and all of your presentations, I want to share some of the opinions in order to combat the pandemic, government, private organization, they have taken several measures such as imposing social distancing, contract tracing, telemedicine and teleworking, we have consideration that was within the interplay between privacy and data protection, on one hand, the benefit of the public health and on the other hand, from my own opinion we have three aspects, four thoughts, one is about ‑‑ the first one, it is about develop and use privacy protection technology.  This includes using anonymous aggregated data, protecting information where they're use a contact tracing app and prevent the data from being shared and used outside its intended purpose and we still need to think more about the AI and other leading technologies when they are designed and developed we should have more consideration about the privacy and the security, not just after their launch.

The second, thinking about the common values and the fundamental principles, such as letting the public know that the organization, the government, the companies, they will facilitate the regulations and those with limitation and used limitation so that the public know that they can trust the operation of the data probing when they're information collecting, analyzing, using or sharing and I think it is very important when it comes to the personal identifiable information, and the third, I think it is about the data governance capability and we need to increase the risk awareness, realize the complex of the data governance and we must ensure there is just the best way, just to have the suitable, the effective ways to combat the academic and we do appreciate all of the countries' contributions and all of the experience still in the future we need to get more power and information to encourage the recovery of the society that we can embrace the shared future.

That's all of my opinions.

I thank you.

>> TAMAR KALDANI: Thank you. 

For the discussion, let me ask Eduardo Bertoni to give reflection, President of Argentinian DPA.

Thank you.

>> EDUARDO BERTONI: Thank you very much.  I hope everyone can hear well.

Thank you for the invitation to the workshop and to make my comments.

They were all very interesting presentations.  I would like to frame my discussion under two specific issues.  One, it is that we have to take into account the main purpose of the workshop, it is protection of data privacy in the prevention of COVID‑19, this is one thing.  The other, it is that we are speaking at the IGF, which is a multistakeholder meeting, so I will mention actions that have been mentioned during the presentation, that should be made not only by governments, but I think also by Civil Society, academia, technical sector, so on.

So I believe that there were many important outcomes during the debate.  I'm not ‑‑ I cannot mention all of them.  I just point so some of them.  I don't have the time to do so.

One word that I heard, in some presentation, it was the word balance.

Balance between data, personal data collection and protection of health.  I said many times during this month.

 

Contact Information

United Nations
Secretariat of the Internet Governance Forum (IGF)

Villa Le Bocage
Palais des Nations,
CH-1211 Geneva 10
Switzerland

igf [at] un [dot] org
+41 (0) 229 173 411