IGF 2019 WS #211 Value and Regulation of Personal Data in the BRICS

Information

Session

Thematic Track:

Topic(s):

Cross border data
Data privacy & protection
Digital sovereignty

Organizer 1: Civil Society, Latin American and Caribbean Group (GRULAC)
Organizer 2: Civil Society, Eastern European Group
Organizer 3: Civil Society, Latin American and Caribbean Group (GRULAC)

Speaker 1: Anja Kovacs, Civil Society, Asia-Pacific Group
Speaker 2: Dirk Delmartino, Private Sector, African Group
Speaker 3: Sagwadi Mabunda, Civil Society, African Group
Speaker 4: Andrey Shcherbovich, Civil Society, Eastern European Group
Speaker 5: Achilles Zaular, Government, Latin American and Caribbean Group (GRULAC)
Speaker 6: Min Jiang, Civil Society, Asia-Pacific Group
Speaker 7: Sophie Kwasny, Intergovernmental Organization, Western European and Others Group (WEOG)
Speaker 8: Luca Belli, Civil Society, Latin American and Caribbean Group (GRULAC)

Format:

Round Table - Circle - 90 Min

Description: Data are the most valuable asset in the world and the BRICS (Brazil, Russia, India, China and South Africa) are home to more than 40% of the world’s population and almost 40% of existing Internet users, who are data producers, innovators and consumers. In terms of data value generation, the BRICS represent an incredibly thriving emerging market and this is one of the main reasons why BRICS are developing or enacting data protection frameworks that will soon affect the 3.2 billion individuals living in the BRICS as well as on the rest of the world’s population. This proposal refers to the attitudes of BRICS countries for the regulation and governance of the Internet from the perspective of data protection. The goal of this workshop is to explore the most recent evolutions in terms of data protection in the BRICS and the impact such policy and institutional (r)evolutions are going to deploy on a global scale. Although little attention has been given by the international community, BRICS countries have undergone extraordinary policy and institutional changes with regard to data governance in the past couple of years. This session will analyse the advancements and challenges regarding how BRICS consider value generation and taxation with regard to personal data as well as the data protection frameworks that all BRICS countries have recently adopted or are elaborating. Particularly, panellists will discuss the relevant changes brought by: The approval of a new "General Data Protection Law" and the upcoming establishment of a new Data Protection Authority, in Brazil; The enactment of data protection and data localisation provisions, with particular regard to the new Internet Sovereignty law, in Russia; The recognition of privacy as a fundamental right by the Indian Supreme Court and the current elaboration of a new Indian Data Protection Law; The adoption of a Data Protection Standard and consultation process on the new “Internet Personal Information Security Protection Guidelines”, in China; The upcoming enactment of the "Protection of Personal Information Act", in South Africa This session will discuss recently enacted and upcoming regulatory provisions and institutional frameworks, as well as their elaboration process and the impact such national legislation is likely to deploy on a global level. Furthermore, panellists will scrutinise elements of convergence and divergence with other established data protection frameworks such as the European one and will focus on how existing frameworks consider the value of personal data. The workshop will have the following agenda 1. Theme introduction and session opening (Luca Belli, FGV) 2. Data Protection debate in Brazil (Achilles Zaluar, Brazilian Ministry of Foreign Affairs) 3. Data Protection debate in Russia (Andrey Shcherbovich, Higher School of Economics, Moscow) 4. Data Protection debate in India (Anja Kovacs, Internet Democracy project) 5. First round of questions and remarks from participants 7. Data Protection debate in China (Min Jiang, UNC Charlotte) 8. Data Protection debate in South Africa (Dirk del Martino, Naspers Group) 9. Comparison with the European framework (Sophie Kwasny, Council of Europe) 10. Questions and Answers Session.

Expected Outcomes: The workshop aims at putting forward concrete proposals aimed at enhancing compatibility of BRICS country national frameworks with regard to data protection. Such proposals will be enshrined into concrete policy messages to be included in the workshop reports. To support the policy messages discussed by stakeholders, before the workshop the results of the CyberBRICS project with regard to the protection of the personal data in the BRICS countries will be shared with the workshop panellists. The CyberBRICS project aims at mapping existing regulations, identifying best practices and developing policy suggestions regarding personal data protection and cybersecurity governance in the BRICS. The findings of the project - which is currently ongoing - will be used to support the workshop debates.

Policy Question(s):

Over the past decade BRICS (Brazil, Russia, India, China and South Africa) alone have added more than one billion users to the world’s Internet population and, over the next decade, a further one billion of BRICS nationals will be connected to the Internet. This incredible number of individuals are personal data producers, innovators and consumers and enjoy an ample range of rights, shaped by the various regulatory instruments that BRICS countries have recently adopted and are adopting with regard to data protection. Importantly, as the majority of the world’s Internet population is going to be increasingly BRICS centered, the policies adopted by these countries are likely to have global impact. In such perspective, this workshop will address the following policy questions: 1. What national laws (or other type of normative acts) regulate the collection and use of personal data in the BRICS country? 2. Do the laws recently adopted by BRICS countries apply to foreign entities that do not have physical presence in such countries? 3. Are data protection laws adopted by BRICS countries based on fundamental rights defined in Constitutional law or International binding documents? 4. Are the newly adopted frameworks converging or diverging from other existing frameworks such as the European one? And are BRICS national frameworks they converging amongst themselves?

Relevance to Theme: This proposal refers to the attitudes of BRICS (Brazil, Russia, India, China and South Africa) countries for the regulation and governance of the Internet from the perspective of data protection. These areas are extremely essential to analyze the full scope of the data governance and regulation in the BRICS and in the impact of BRICS policies and regulations on global data governance. The goal of this workshop is to explore the most recent evolutions in terms of data protection in the BRICS and the impact such policy and institutional changes are going to deploy on data governance and data flows affecting the 3.2 billion individuals living in the BRICS as well as on the rest of the world’s population Although little attention has been given by the international community, BRICS countries have undergone extraordinary policy and institutional changes with regard to data governance in the past couple of years. Landmark events analysed by the panellists will include: The approval of a new "General Data Protection Law" and the upcoming establishment of a new Data Protection Authority, in Brazil; The enactment of data protection and data localisation provisions, with particular regard to the new Internet Sovereignty law, in Russia; The recognition of privacy as a fundamental right by the Indian Supreme Court and the current elaboration of a new Indian Data Protection Law; The adoption of a Data Protection Standard and consultation process on the new “Internet Personal Information Security Protection Guidelines”, in China; The upcoming enactment of the "Protection of Personal Information Act", in South Africa The convergence and divergence of BRICS data governance architectures with other frameworks such as the European one.

Relevance to Internet Governance: The majority of the “next billion users” is projected to come from the BRICS countries and, therefore, the policy and regulations adopted by this group of countries is going to shape not only the rights and obligations of their citizens but also the global data flows and business. The topic proposed by this workshop directly falls within the sub-theme of the IGF 2019 on Data Governance. It will cover specific issues on data protection in all the BRICS countries, analysing the most recent development in terms of policy and regulation and how such developments will impact national and international stakeholders. Over the past decade, BRICS countries have demonstrated to be very active in the field of Internet Governance, although with very different approaches. Recent examples of countries to regulation are Wuzhen Declaration (China), and NetMundial Initiative (Brazil). Also, Brazil is the only country which organized the IGF twice – in Rio de Janeiro in 2007 and in João Pessoa in 2015 - and a recognised leader in multi - stakeholder participation in Internet governance. The elaboration and adoption of data protections frameworks in the BRICS tellingly exemplify the different approaches that these countries utilise to elaborate, enact and implement norms, involving a wide spectrum of stakeholder but in very different ways. This session aims not only to analyse the content of the data protection norms adopted by the BRICS but also the governance processes these countries adopt to elaborate and implement such norms, thus directly exploring Internet governance in the BRICS and its impact on global governance.

Discussion Facilitation:

There will be 6 short presentations (5 minutes each) where the speakers will participate at the discussion sharing their expertise from different stakeholder perspectives. Between the first group of 3 presentations and the second group there will be a short question and comment break, to allow participants in the room to share their ideas and participate in an interactive fashion. The session will be concluded by a Q&A session including the remote participants followed by discussions with all participants in the room on important points raised by the panellists. workshop (some topics will be collected before the workshop from the pre-registered remote participants). Therefore, the entire workshop will be fully interactive between the speakers, remote participants and the audience in the room.

Online Participation:

Yes. We suppose that official online participation platform will be useful tool to increase level of online participation.

Proposed Additional Tools: As we made previously we will connect remote hubs to the session. These hubs based in Moscow, Higher School of Economics and in FGV, Rio de Janeiro. Practice shows that these online platforms are interesting for other hubs in academic institutions worldwide. In addition, we reserve an option for speakers to participate online in remote mode in case some of them would be unable to be present onsite.

SDGs:

GOAL 5: Gender Equality
GOAL 8: Decent Work and Economic Growth
GOAL 9: Industry, Innovation and Infrastructure
GOAL 17: Partnerships for the Goals

Reference Document

Report

1. Key Policy Questions and Expectations:

1. What national laws (or other types of normative acts) regulate the collection and use of personal data in the BRICS countries?

2. Do the laws recently adopted by BRICS countries apply to foreign entities that do not have a physical presence in such countries?

3. Are data protection laws adopted by BRICS countries based on fundamental rights defined in Constitutional law or International binding documents? Are the newly adopted frameworks converging amongst themselves and can they be compared to other existing frameworks such as the European one?

2. Discussion Areas:

It was general consensus that the political, economic and social systems of the BRICS countries are different and they have different approaches to data protection. Therefore, the approach of policies should regard cooperation, not coordination.

Some of the participants highlighted that there should be no sovereignty over the internet and addressed as a solution the development of international frameworks regarding multistakeholderism. Others observed that the free flow of information entails bidirectional flow – i.e., when it becomes possible to funnel data from one country and only extract value on another. Therefore, data localization is also about protectionism.

3. Policy Recommendations or Suggestions for the Way Forward:

4. Other Initiatives Addressing the Session Issues:

The legal initiatives were presented in each of the countries, as mentioned before. Brazil with LGPD, which is similar to the GDPR; India with the jurisdictional declaration of data protection as a fundamental right and a Data Protection Bill; China with new cybersecurity standards; Russia with new regulation; and South Africa with POPI.

Russia’s legislation has a protectionist approach and it says that data of Russian citizens must be localized inside of Russia’s territory. That was pointed out as the main reason for some service providers to abandon the Russian market – changes in this approach should be necessary to avoid arbitrary ban of social networks.

5. Making Progress for Tackled Issues:

Participants observed that data localization is linked to sovereignty, but it is also deeply intertwined with protectionism. The free flow of information looks like a great exchange of information, in the paper, but in practice it looks like a draining of valuable information. Also, legislations that allows authorities to collect and use personal information without user consent should be targeted in policymaking.

6. Estimated Participation:

Onsite and online: 60 and 108

Women onsite: 30

7. Reflection to Gender Issues:

Gender Equality is one of the goals of the discussion about what values should be considered in the BRICS.

8. Session Outputs:

The purpose of this section was to map and identify what could be the best practices BRICS countries should follow to create a legally predictable environment for business regarding data protection.