IGF 2022 Day 2 MAIN SESSION: GOVERNING DATA & PROTECTING PRIVACY

The following are the outputs of the captioning taken during an IGF intervention. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid, but should not be treated as an authoritative record.

***

 

>> MODERATOR: Hello, everybody.  Welcome to the session on data governance and protecting privacy.  My name is Carol Roach and I will be the moderator today.  Welcome to those in the Conference room on site as well as those on line.  We hope to make it a dynamic session, so I hope you have your pens or pencils or notepads ready to take questions.  So today we are going to look at governing data and protecting privacy, reality versus on paper, a deep dive into the data system.

So we will be looking at themes today, themes like privacy and protection from a multistakeholder perspective.  What is being protected, people or data?  What is the collective understanding of data?  The opportunities and threats in the midst of deriving value, successes and setbacks of legal framework on the data ecosystem.  We have put together a dynamic and exciting panel for you today.  We have on line.  Pilar Fajarnes who is the lead author of UNCTAD Digital Economy Report 2021.

She has been working as Economic Affairs Officer in the research section in the E‑commerce and Digital Branch of the Division of Technology and Logistics at the UN Conference on Trade and Development.  We have also joining us online is Arturo‑Muente Kunigami, currently working on digital Government innovation projects and knowledge, coordinating the digital identity agenda and policies for the public sector at the American Development Bank.  We have Gbenga Sesan, Executive Director of Paradigm Initiative, a PanAfrica social enterprise working on digital inclusion, digital rights.  He is a member of the UN High Leadership Panel.  And we have Nathaniel Fick who was recently sworn in this year as the US Ambassador at large for cyberspace and digital policy. 

We have with us Themba Mazibu, cybersecurity professional and senior manager IT analyst at the information regulator of South Africa.  We have Peggy Hicks, Director of the Thematic Engagement and rights development division of the UN Human Rights Office.  Shina Migena, Association for Progressive Communication and she is coordinating the Our Voices Are Our Futures project. 

And last but not least, we have Florian Markus.  He has supported Governments on the political and legal structural changes.  He has worked on projects to rejuvenate digital transformation efforts throughout the workshop in several countries.

So the panel will give brief intervention, and then we will entertain questions and conversations.  So let's keep it lively.  Thank you.

>> We will now have Pilar.

>> PILAR FAJARNES:  Good afternoon, everybody, I thank you to have been invited to participate in this meeting.  I will present the findings for the report that we focus on data flows and development because we found that it was quite important to focus on data awareness given that the importance that data has acquired as an economic and strategic resource.

Data can generate private profits, but also significant social value for development.  Beyond the economic dimension data can bring immense benefits but also carry risk in relation to privacy and other human rights and peace and security.

Data needs to be sure, but with guarantees that human rights and other particular concerns are addressed.  We need data to help us overcome development challenges such as climate change and pandemic, but if they are handled they can lead to the lead to infringement of human rights development outcomes and undermine the functioning of Internet.

Our common actions, therefore, matter greatly for the achievement of the SDGs.  We have seen in recent years how the amount of data flowing around the world has exploded, increased exponentially, but at the same time the data driven digital economy is evolving fast against a back drop of huge digital divides and imbalances in the world economy.

A huge amount of the population of the world population still remains offline, and in the Least Developed Countries, only one in five people uses the Internet.

Moreover the benefits of the data digital economy, of the data driven digital economy have so far unevenly been distributed.  Two countries stand out to harness most of the benefits from the data, the United States and China, which have huge control over the main database technologies.

And also most of the countries are in a position to benefit from the data are based in these countries and these large digital platforms are strengthening the dominant positions along the whole world or global data value chain.  Many Developing Countries are, therefore, concerned that they will become mere providers of raw data to global platforms who are having to rely on foreign knowledge that is produced from those data that are taken from the countries.

At the same time, the global data governance landscape is highly fragmented.  Governments approaches are among the main players in the economy if we can speak in a rough manner.  In the United States the approach focuses on control of the data by the private sector.  The Chinese model emphasize the control of data by the Government, and the European Union emphasize control of data by individuals.

And these approaches are also taken into the expansion to get more data in the world economy.  This means that the current context is one of tensions among these data areas.  What do we see with the current situation on data awareness is that this siloed oriented data driven digital economy goes against the original spirit of the Internet as a free, decentralized and open network.

Fragmentation hampers technological process, reduces competition and opportunities for collaboration among jurisdictions.  This is likely to have significant negative impacts for more Developing Countries.  We have reviewed a number of international and international and regional agreements in relation to data, but the conclusion that comes is that the global data governance landscape is a patchwork of national and regional and international rules that complicate their relation to the digital economy and particularly regional and international regulatory frameworks tend to be either too narrow in scope, for example, they focus only on the trade area or focus only on privacy, and they fail to look at the multidimensional fashion of data or limited geographically.

And data is a global challenge.  They need to be addressed starting electric the international level at different levels too.  So this regime failed to enable data flows with an equitable setting of economic development gains properly addressing barriers, risk involved.

What we would see on the way forward is that we see an urgent need to develop a more balanced approach to global data governance to find a common ground for data to work for people and the planet.  This is to avoid farther fragmentation in the digital space, to enable global data, to mitigate wide inequalities to enhance trust in the digital economy, to deal with the dominant role of some digital platforms and to account for the impact of over other countries.

Ultimately, we think that the goal should be to enable data to flow as freely as necessity and possible, while being able to address barriers, development objectives.  In this context, we see several policy areas that could be addressed through data awareness which may include agreeing on definitions and taxonomies for establishing terms of access corresponding on type of data, strengthening the measurement of data, data flows and their value, dealing with data as public good, exploding new forms of data awareness, developing standards, and also increasing international cooperation on the governance of digital platform, for example, on taxation and competition policies.

In this approach, we think that the United Nations needs to play a clear role because at this moment there is a lack of a holistic treatment of data and discussions remain in silos.  The United Nations is the most inclusive forum and we see that many countries still remain marginalized in the negotiations on data governance.

So we point to the need of a new United Nations coordinating body or mechanism for data awareness, but we are leaving this open to discussion among the countries and the different stakeholders.  We think that the global governance approach should be multilateral, multistakeholder and multi-dimensional to account for the multidimensionality of data.

And I would leave you with that, because we think that the discussion should go from there on having some innovative thinking of what kind of governance we could have from our research.  Thank you very much.

>> MODERATOR: Thank you Pilar, Arturo.

>> ARTURO MUENTE‑KUNIGAMI:  Can you hear me?  I have a couple of things I want to share, and I hope I won't consume the time being allotted.  So I want to start thanking you for the invitation to participate in this panel.  I will share a little bit of what we have done in Latin America and lessons learned or recommendations that we are drawing from the work we are starting to do here.

So I want to start with this map I use just to showcase what has been happening, I use it as a problem, but basically what we are seeing is that these different agendas or topics that are related to data have been appearing and popping up, you know, in response to different phenomenon that we have been seeing so Governments are starting to create groups around open data, actually come from the open data kind of camp.

We have the data security camp.  We have the data sharing, interoperability, we have the access to information which even sometimes confuse with the open data one.  We have data protection, the one that's bringing us here, enthusiasts working with new technology based on data, particularly AI, et cetera, and all of these different sort of agendas are starting to grow and they are starting to, you know, step on each other's toes.

And what we are not seeing yet, and that's one of the things we are trying to work with is to create a coordinated, I guess, similar in nature to recommendations, the previous speaker has shared, a layer of coordination among these different agendas, because that will help, I think, we think, address some of the concerns that actually you have raised as topics in this panel.

So what we have done, we have made a comparison around the data protection legislation available in the region.  The Inter‑American development bank works with 26 countries in South America, Central America and the Caribbean.  Out of those 26 countries, 17 countries have data protection, personal data protection legislation.  That is approximately 65%, which is a little bit around percentage that was included in the report.

We have two or three countries we are helping with their draft legislation, and, of course, the rest do not have an active legislation.  The thing to consider here is that it's not a binary variable whether you have or not legislation.  It does help a lot, but we have countries that have legislation that is more than 20 years old that is in need for a very urgent update, that's not being sort of made for the digital economy.

Some of them are preGDPR and whether we like it or not, GDPR has set a bar, so what we have done is this comparison with the Inter‑American data presentation standards.  Basically there is an Ibero‑American Data Protection Network that consists of authorities in charge of enforcing data protection.  The standards were aligned with GDPR.  We are comparing those with the legislation that we have in place in the region.

With that there is the QR for the website if you can see it.  We also in the same web page you are going to find a survey to 10,000 people in the region representing 10 countries, so we just wanted to know about awareness on data protection, and whether they knew what exactly the personal data protection was, and then we also analyzed some of the initiatives that appear in response to the pandemic and how they were treating personal data from the citizens that were using those different in most cases apps.

So what did we learn?  Like I said, 17 out of 26 countries that we worked with, and I want to emphasize that because I think there are approximately other five or so countries, mostly in the Caribbean that we are not working with, but 17 out of 26 that we work with have a personal data protection legislation in place.

Like I said, some of them are even from 1999, so they need an urgent update.  Down to Belize, I think, approved personal data protection legislation 2021.  We have Jamaica, Ecuador, 2020 I think Barbados 2019.  So there has been also a sort of wave of countries approving data protection legislation in the last couple of years.

Ibero American data protection standards.  They include general rules for international transfer of data.  And one of the things we have seen is the difference you were mentioning at the beginning of the panel between on paper and reality.  And basically even if the legislation that we have in place in our countries is pretty much aligned with the principles behind the standards which, like I said, are pretty much aligned with the principles aligned with European regulation, there is a lot to be done in terms of enforcement.

Most of the legislation allows exchange of data with providers in other countries as long as they have an adequate data protection or similar data protection environment or legislation as a country, the host country, but who is defining adequacy?  Who is betting whether those different providers, vendors, or countries data legislation.  It's something that's left a little bit to the actual company that's making the or entity that is making the data processing.  Governments in some cases also have trouble with using Cloud Services.  There is one or two countries where they are actually decided that all information from Government must be stored within the territory of the country.

Who enforces this legislation?  How well is it done?  And as I mentioned at the beginning, what we are seeing overall is this need for a strong and coordinated institutional framework.  Out of the 17 countries, and we need to also understand, like I said, that many of these legislations are relatively new, but I would say it's about 8 to 10 including a couple of Commissioners in the Caribbean that are, have been actually created to enforce the legislation.

There are some countries where despite having the legal framework don't have an entity that is in charge of enforcing, and even then there are like several layers.  So you have the attributes that the law gives the entity, then you have the actual resources that the entity has.  And one of those attributes are going back about independence, about the capacity to make decisions independently, that has a collegial leadership.  It's something that we are also looking at, and also the ‑‑

>> MODERATOR: I'm sorry, we are going to have to come back to you.  So keep those thoughts.  Thank you very much.  Stay with us.  Thanks.

Thank you, Arturo, we will get back to you.  When we talk about data governance and protecting privacy, one thing that comes to mind is trust, because trust is at the centre of all of this, and unfortunately, whatever erodes trust, violations erode trust and whatever erodes trust as a community we need to condemn.  One number that comes to mind is 1.9 billion.  That's the number of people who were cut off from the Internet in the first half of 2022, not unconnected, but disconnected by deliberate shutdowns like the one going on in tie gray in Ethiopia now, and I'm taking that because we are in Ethiopia discussing the Internet.

I think it's important to have these conversations because we can keep talking about governance.  We can keep talking about protecting privacy, but if we don't address the violations, we will be eroding trust and the people, the stakeholder we need to work with will know that we are just having a talk show, and we will have all of these conversations and loaf the place and say we will see you again next year.

I think it's important to talk about this.  And that's one of the reasons why talking about the region we are in today which is Africa, we have a framework in place since 2014.  And I think a number of sessions of the IGF have talked about it and how worrying it is that we have only eight signatures so far.  We need 15.  Someone compared the signatures we have to just eight to the number of countries we have on the continent, over 50, and that point for me prioritize, when we have conversations we prioritize topics, but when it comes to action, we don't prioritize.

Because if our talk and our action don't align, then we may as well not waste our time to jump on planes and jump on Zoom to have these conversations and invest time in them.  So, and having said this, I know that privacy and must definitely be deliberate.  When we talk about data governance, there are institutions, there are many institutions involved, thankfully, we are the IGF which is multistakeholder, so we have got academia, civil society, Government, private sector, but one central institution that plays a prominent role in data governance are data protection authorities or whatever name you call them in various constituencies.

This DPAs, one of the things that in our own work at the initiative and we did a study over the last 20 years of data protection on the continent looking specifically at 30 countries, looking at those that got data protection laws but don't have data protection authorities, but one of the things we found in our report is that as we have a lot more data, mass data collection projects in many countries, unfortunately, we don't have legal frameworks to protect us, and that also erodes trust.

I can give you many examples of many countries where people have to give biometric information to multiple Government agencies and there is no legal framework to protect that.  One of the things we found in the study is also the fact that COVID was a period where we really needed trust.  And there was a lot of data collection for the purpose of fighting the virus, getting the virus and things like that and hopefully WHO announces that it's over.  But one of the things we saw and documented in the report is the fact that many Governments while investing heavily in data collection have not invested equally in protecting the data.

In fact, one of the major things that we found was that there were violations by agencies that were supposed to protect data, and that, of course, led to many scenarios where citizens refused and then Governments had to literally force them and say if you don't do this by this particular date, you are going to be cut off banking or cut off certain services.

That is not where we are supposed to be.  If we are talking about governance, if we are talking about protection, then we have to strengthen institutions.  We saw the needs are obvious, identified a lot of gaps, but one of the beautiful things we saw across the 30 countries we looked at is the fact that all stakeholders now understand the place of data, and are willing to commit time and resources to working together.  And I think this is the good news that I have as far as data governance and protecting privacy is concerned that gone are the days where it was just the remit of maybe Governments talking about this, but now including users, all stakeholders are willing to chip in and get us to move forward.

Trust is at the centre, and we need to make sure that doesn't get eroded through violations and other things.  Thank you.

>> MODERATOR: Thank you.  Ambassador.

>> You are a very hard act to follow.  I could listen all day.  Thank you very much for having me.  It's a pleasure and an honour to be both at the IGF and on this important panel.  And I'm going to begin my remarks with a short explanation of how we at the U.S. Department of state view data privacy and data governance.

So data protection is a key geopolitical issue central to our strategic interests.  It's central to efforts to promote meaningful connectivity to an open, interoperable, secure and reliable Internet and to a stable cyberspace overall.

I would be remiss to take the floor today without commenting briefly on the importance of access to telecommunications, the Internet and digital technologies and promoting and protecting the exercise of human rights and fundamental freedoms in modern societies.

Governments should facilitate that access and refrain from shutting down telecommunications and the Internet to isolate regions and inhibit information and expression online.  Here in Ethiopia, we applaud the Pitory agreement and call on the Government to restore full services including Internet access to all areas affected by the conflict.

Data governance and privacy are central to this call to put forward a compelling and affirmative vision for the future of technology.  And we seek to work with a community of like‑minded partners to develop shared approaches and to demonstrate we can develop policy solutions that reflect our commitment to strong and effective privacy protections while simultaneously facilitating the cross‑border data flows that open market‑led economies and societies depend upon.

So just with that as background, let me lay out three underlying principles on privacy and data governance from our perspective.  First, we don't see a zero sum tradeoff between protecting privacy and facilitating cross‑border data flows.  We can and must support both objectives simultaneously.  We know the cross‑border data flows are the life blood of the modern economy vital not just for large technology companies, but for companies and organisations of all sizes across all sectors.

Data flows are critical for international cooperation on scientific research, law enforcement, national security, transportation, and ensuring people‑to‑people ties around the globe.

But we also know that people, communities and Governments around the world are rightfully demanding stronger and more effective data privacy protections.  Without strong privacy protections people lose just in cross‑border data flows and trust is the currency.

We do not accept the view that effective privacy protections must necessarily impede cross border data flows.  Rather we view privacy protections as contributing to a safer, more prosperous digital economy.  The second, for instance, as mentioned earlier, is we need to focus on privacy protections as implemented on the ground, and not just in the abstract.

As we see more and more countries around the world adopting new or updated privacy legislation, the gap can grow between the rules on the books and the implementation in practice.  With inconsistent enforcement and significant confusion among businesses and other entities on what exactly is required to comply with the law.  And to build trust in the digital economy, we need to ensure not only the effective privacy laws are on the books but that market participants understand and follow them.

That's why data governance policies should be developed with input from the multistakeholder community who understand not only the abstract legal debates around privacy, but also the real world challenges of implementing effective data privacy solutions.  That brings me to the third and final principle, which is the need for interoperability between countries' data privacy regimes.

When we focus on the real world implementation of data protection it is clear that there will be no single one size fits all approach.  Countries have their own histories, cultures, legal traditions and regulatory structures.  They will thus develop privacy protections consistent with their local context and the need to protect human rights.

As countries develop tailored approaches to data privacy, some level of consistency and interoperability between approaches is necessary to ensure that as data moves across borders it ensures effective protections.  Let me use this opportunity to highlight one such effort to promote interoperability about the U.S. is decided the global cross privacy rules or CBPR system.

The CBPR system is based on a voluntary data privacy certification that helps companies demonstrate compliance with internationally recognized privacy standards.  The system was developed under APEC, but current member companies are branching a global CPBR forum to all jurisdictions, with the unique approach founded on creating practical roles.  The global CBPR system will facilitate trade, international data flows while building on shared data privacy values.

To this end, we hope many economies, many countries will join the new forum, and that many companies will pursue CBPR certification.  If you are interested in learning more about the program, you can check it out, it's global CBPR.org.  Thanks again for the opportunity to be here.

>> MODERATOR: Thank you.

>> So thank you for this opportunity, Carol, and to my panelists, you will be a hard act to follow.  So from my approach, we need to look at data as the new currency, because in trying to answer the question of who we are protecting, is the people or the data, it needs to be said that this data that we are talking about drives the digital world.  All of the Internet applications that we use on a daily basis, and it also has a major role to play in the economic growth, especially on our continent.

The use of data has grown exponentially and the data being aggregated and shared amongst the highest consumers, especially in the marketing and insurance field has opened a door somewhat for illegal collections of data just to enhance the profit and the bottom line of these huge companies.

And as noted, the enriched data sales have become more important revenue stream in many organisations.  So we need to look at how now the security compromises or the data breaches that result from this really affect how they affect the people that actually are the data subjects.

So it's the people who own the data, and for our purposes in South Africa, our data regulations stem from our Bill of Rights which say that everyone has a right to privacy.  So if people have the right to privacy, their data is part of what they need to keep private, and normally we have the data subject first as long as the regulations being implemented are only on paper.

So from what we have observed as a regulator in South Africa is that a lot of the compromises we have seen in assessing the companies we find that they have the measures in place.  They have the policies.  They have the way that they are doing the procedures, but the implementation is just not there.  I mean, we are outsourcing our development efforts.  We are also outsourcing the ethical role that we have in protecting the privacy of individuals.

I think it's a very important question that we need to answer in terms of what is the broad spectrum of the ethics we are talking about, who do they depend on?  Is it dependent on me who is making the profit or is it dependent on the right thing to do?

So in implementing privacy by design and systems, for instance, we need to be able to monitor the people who are actually implementing these designs.

What happens when the privacy rights of the individual which could be posted by adding encryption clash with a developer's intent to achieve low latency on the system.  We know that by adding encryption we will lose a lot of time in processing.

So they have the opportunity to deliver bad news to management as well especially if it affects bottom line as an indication of how we see this disjoint between security measures on paper and the actual security implementations on live systems.

We do need a global framework.  I know that there is a lot of cultural differences, a lot of differences within countries in terms of their regulations, but in order for us to facilitate the cross‑border data flows, we do need an equal playing field in terms of the data privacy regulations.

That said, these privacy regulations should be aligned with each other if we are to achieve a situation where we can continue to use the data, grow the economies that are desperately in need of the opportunities that come with information processing.  So in saving time and ensuring that we can have more discussions later, I will pass onto my next colleague.

>> Thank you so much.  Happy to be here, and I'm looking forward to picking up the points that have been made so far.  I would start off by placing this conversation in a framework of human rights.  We are talking about data protection and data privacy, not as a matter of convenience or as a good practice, but because people have a right to privacy.

And in fact, data protection affects a broad range of other rights.  It affects the rights to equal treatment and non‑discrimination, access to the rights to health and education, for example, and also fundamental access to Democratic rights including free expression and free association as Government access to personal data increases.

I would also underline points made by my colleagues on Internet access and how while we look at the right side of this, we also know that the data flow and data is a currency as has been said is essential.  So we agree entirely with the need to end Internet shutdowns in this context.

The scale of the challenge we face with regards to data is immense.  Social media and search engines, the main source of information, of course, and income stems from tracking‑based advertising relying on collection and monetization of massive amounts of data.

In the quotes, of course, a growing sort of data being collected, shared and analyzed.  In that context we need to look at where we stand.  We have heard quite a bit about legal frameworks in place.  The good news is we have had a lot of work done on what are sort of the minimum requirements for effective data protection legislation.  And obviously Convention went away.

Our office did a report on the right to privacy in 2018 that really pointed to the key elements of that legislation, you know, requirements such as having a legal basis for processing data, the necessity and proportionality of processing data, a point that Pilar made, having a well-defined purpose within that legislation, and important points around the limited scope, duration of data retention and processing, data accuracy, data security and adequate security measures, the range of data subjects involved and the obligations of entities processing data and the institutional safeguards that exist.

Fundamentally, it comes back to the role of independent oversight bodies for these activities as well, and not only creating those bodies, but resourcing them in a way that they can do those jobs effectively.  So with that as background, what are the key challenges in the area of data protection and privacy?

We need better laws in a lot of places to make this work.  We have seen progress there, but as Arturo pointed out, even when we have laws there is sometimes work to be done, and we need, of course, as the Ambassador said a multistakeholder approach to making sure that those laws are truly responsive to the needs of all communities.  So engagement by civil society there as well.

We also wanted to point out that one of the key flaws in some of the existing legislation is an absence of or requirements for handling data by public authorities, and this is an area where substantial human rights concerns arise as Benga has said.

We really also recognize that even if we started from a good foundation on data protection, we are facing increasingly new threats in this area as we develop new uses of AI and data‑intensive technologies increase.  So what we need to think is a more accelerated and expanded scope for how we are looking at data protection and privacy, thinking along the lines of data justice rather than data protection, and looking at elements and approaches that will prevent and mitigate data‑related harms more broadly, and my colleagues are giving me tons of example, but just a couple, along the lines of antidiscrimination impact on marginalized peoples, we know that those are areas where we have seen huge problems with data legislation and fraud detection tools being used in social benefit systems as an example of that where it's gone horribly wrong.

We are concerned about automated decision making and the minimum rights that people have to understanding how their rights are being affected by it, and transparency around its use, and systems around inferring information based on existing data and how we could regulate those areas as well.  And as I said, oversight bodies are a key element to making all of that work more effectively.

I too wanted to bring up the issues of cross‑border data flows and localization requirements which I agree we need to find a way to square those issues within the context of human rights.  We want data flows to go across borders, and we know that data localization has many pitfalls in a variety of ways.  One, it increases Government power over data and puts pressure points on companies that are perhaps not as useful.

It fragmentizes the Internet and has tensions with the right to freedom of expression, and can be economically burdensome.  We agree we need frameworks that allow for personal data to be transferred across states but we would like to see the frameworks protected under the level required by international human rights law.  We look to the GDPR which permits transfers of data with adequate level of protection in another state, and also we are going to play, I guess, as the Ambassador the cross global privacy rules forum.

One final word would be on the law enforcement side, where law enforcement access to user data is a particular area of human rights risk so we want to make sure that minimum safeguards are in place for those systems for a transfer of data including requirements around dual criminality for oversight, for less invasive measures in limiting transfers to grave crimes and ensuring we have relevant public authorities in place where direct access to data held by companies is sought as well.

>> MODERATOR: Thank you.  Sheena.

>> Yes, I'm stumped.  It's a bit hard to follow after everything that everyone has said, so I will say what I want to say, but maybe it will be similar but said differently.  I think it's important to locate myself as a member of civil society.

I work at the intersection of human rights, in particular women's rights, LGBTQI rights and technology, and where I work is also situated around using a feminist framework to try and understand what's going on.  So it's understandable for people like me and people in the communities that I work with who come to a space like this, it's a bit overwhelming because there are references to documents we don't know about.  So there is something about data governance and protecting privacy that's a bit obscure.  There is something about the space that is a bit siloed and I like what you said about how we cannot look at the work of data governance and protecting privacy in isolation as its own space located around technology because when we do ask for data protection laws to be instituted in countries and states and contexts where they are already existing laws that are not being respected, it created an issue of trust.

So when you say that you want to put in place better laws when the already existing laws are not being respected, civil society are scared.  We just think it's going to be another law that's going to come and seek us out, especially if you are a decriminalized identity, if you work in a criminalized labor, if your labor is criminalized, for example.  When the Government comes and says, and often by force, there is the option of choice never exists in a lot of these spaces, and often you find that laws that are put in place become quickly insufficient, especially if the focus is more around the data, for example, and not the people.

And you find that how, what data is shifts very quickly.  What data can look like looks very different, like, for instance, we have the data protection Act put in place in 2019.  Of course, after a pandemic that looks very different.  So now we have to go back and see is it sufficient given that we had a pandemic and the Government used force to collect information out of its citizenship without the right protections, without any kind of consultation, without any kind of right to say no, which infringes on other fundamental human rights of the people.

I think another important thing to speak about is, and I think very many other people have spoken about protecting privacy, which is especially important for communities that find safe haven and digital platforms online, on social media.  When we put in place laws that flout the right to privacy, then we find spaces are not safe and there aren't additional spaces for people to gather and the criminalized identities are criminalized on and offline, and the same kinds of violence we experience offline for having particular bodies across race, class, gender, the same violence finds itself replicated in the online space.

And in previous conversations I have had with other members of civil society, the trust issue is quite big because you find that a lot of people don't understand and some of the data protection language is vague by design.  So who is it protecting?  Is it protecting the state?  Because chances are if there is a data protection Act of sorts and then my data is leaked, say, through an act of nonconsensual distribution of intimate images my right to resource is less than let's say the ruling class, the political class who can get a blogger arrested for calling out something, and using the same laws that are supposed to protect a young woman what has experienced violence online, then used to silence and to subjugate citizenships.

I think another thing worth saying here is I would close with language that a lot of feminists and women's rights movements use which is the language of intersectionality, and understanding that there isn't a single issue, and when we do come here and we say it is important to say the Internet is an important space and that we need to strengthen legal or legislative frameworks that make sure that the Internet is free, these laws still exist within contexts where so many other rights and freedoms are being infringed upon, and, therefore when you say that I should be allowed to be who I am online in the context of a political reality where I am not allowed to be who I am offline, it creates a contribution, and I think there needs to be, I think you called it interoperability, there needs to be an interoperability, a more intentional seeking out of different actors across the various human rights spaces and frameworks to see how can we lend more solidarity?  How can we share more resources towards ensuring that we are not trying to see this as a single issue, space or situation, and how do we strengthen all human rights for all people in all spaces, both online and offline?

>> I would like to start by saying thank you so much to the IGF 2022 for the organisation, of course, for the invitation as well.  In the same breath I have to say in my opinion this is an awful, awful panel, simply because we have plenty of experts and plenty of important topics and only 90 minutes.  So I think this has its own Conference in the future.

If, I think we can start with what was mentioned before with the area of trust.  I am German I have been living in Estonia for the last seven years so sort of different experiences in that area.  If we are being honest, probably also in this room and those watching via Zoom, if we are being honest most Governments and most companies today do not deserve our trust when it comes to the way that our data is being handled.

I mean, we can throw at the private sector all day long, we can do the same for the public sector.  When I hear that there are still countries, not just in Africa, also in Europe and everywhere around the world that duplicate citizen data, biometric data nonetheless, that is unacceptable.  This brings me to the point I want to come to, what is the on‑paper situation, and what is the real live situation?

The first thing that we have to do is fix the on‑paper situation?  Do you having like the GDPR?  The answer for many countries is, yes, not all, but we are getting there.  But I heard the previous panelist discuss already the desirability, perhaps, of a global framework of recommendations for privacy.  I want to ‑‑ I don't want to shut the lid on that, but I definitely want to put a damper on this because looking at the EU where we do have GDPR with 27 Member States that have signed up to it, I can tell you we are not all following the GDPR in the same way.

That is not because one country is super smart and one country is really rude.  It's because due to different cultures, we have very different interpretations of the same legislation.  So even if we have a globally agreed upon framework which will not happen.  We will not come to an agreement there, but if we did, we would not execute that framework in the same way.

Very, very simple baseline example, in Estonia we have multistory car parks with tiny barriers in front and they can read the license plate.  In Germany for the longest time that was illegal because of GDPR concerns.  So Estonians were saying we have got the GDPR so why can we make barriers work with the license plate recognition and why can't you?

This is the tiniest example and we can scale that up to biometrical storage of fingerprints or healthcare data exchange across borders.  So there is a myriad of topics that we, number one, we will not come to an agreement to, and if we do, we will not execute them in the same way.

Perhaps I would want to finish on one point about data privacy and governance from Estonia and number one on paper, number two, in practice.  In Estonia we have the once only policy.  It says across the different Government agencies only one Government authority can store a particular point of data.

So if the population registry has stored your data because they are the ones responsible for that, the other agencies cannot ask you for the same data point.  They have to ask from that authority.  Boom!  Done!

The second point is not just about privacy enforcement, but also about how realizable is it per se from the citizen's point of view.  In Estonia as an example, there is a sort of data tracker where I can see every single time where the Government looked at my data, when and why.  And based on that, I can then head to the data protection inspector.

So it's very well that we have a myriad of DPAs around the world that have enforcement capability, but the question is are citizens actually aware of their rights being infringed upon?  So I think this is something we also have to deal with.  Thanks a lot.

>> MODERATOR: Thank you.  I told you we had an exciting panel, and I think that they have given you a lot of food for thought.  I'm sure we have questions.  Peace, anything online for us today?  While Peace is looking we have quite a lot here, so we are going to start with the gentleman at the back.  And we are going to quickly make our way over.  We are going to ask you, please, don't give us multiple questions in one.  So just give us one question, not with 100 parts.  Thank you.

>> AUDIENCE: Thank you.  I appreciate all of the presenters, my name is Anaga from Ethiopia and working with the Ministry of Innovation and technology.  I have no question but I have an opinion so according to my opening we need Ethiopians, the capacity building of a knowledge sharing program, a scholarship program regarding digitalization and good governance.

We need collaboration, cooperation and coordination in a multi‑stakeholder capacity in Ethiopia.  So I would appreciate if you have any kind of information regarding your interest so we are open to our office and you are welcome.  So young researchers must be advocated in different sector of research, technology, innovation.  So youngsters and children must be advocate or encouraged regarding innovation and technology in Ethiopia.

So if you have interest, we collaborate in particular in terms of technology, innovation and project.  Thank you very much.

>> MODERATOR: Thank you.

>> AUDIENCE: Thank you.  I am from Senegal.  My name is Yaga from civil society organisation.  I like to make a comment on data protection in Africa.  Please give me a couple of minutes.

>> MODERATOR: One minute, please.

>> AUDIENCE: Data protection and privacy reality or on paper?  In Africa, it's even, it's not even on paper.  We have 55 countries in Africa.  Only 25 have a data protection Act.  The first African country to have elected a data protection act is the island of Cape Verde in 2001, the second one Burkina Faso in 2004 and next from 2008 a country like Senegal has law on data protection.

Since 2001 the island of Cape Verde does not have data protection authority.  Just to let you know that out of the 25 countries, only 14 have a data protection authority, and most of the time it's weak data protection.

An example, in 15 years, any of these data protection authorities has never taken any decision because they don't have the capacity.  On top of that, political is a scare because that's American interest in Facebook.  So that means that we have to learn from what Europe is doing looking at one voice because tiny countries have difficulty dealing with tech giants.  Small countries like Senegal, Gambia, Benin, Rwanda, what can they do against this technical?  Nothing.

So they have to be dependent on African Union commission, and there we have some issues.  First, digital rights are not listed on the agenda of the African commission of human and people's rights.  Not on it.  You don't have a resolution.  You don't have a Working Group, nothing on digital rights on the African commission on human and people's rights.

So we need more voices to advocate.  So African commission can at least create Working Group on data protection and privacy.  Second the Convention on data protection and privacy, elaborated in 2014.  So far signed by 14 countries, ratified by eight countries and we need 15 to enforce.  There is need for advocacy in each country to push for Government to ratify, to sign first and ratify the Convention.

>> MODERATOR: Thank you.

>> AUDIENCE: We need to send our voices to the African Union commission for human and people's rights.  Then we have another difficulty we have few organisations that work on digital rights.

>> MODERATOR: We agree with you and the panelists especially Benga did go into some details with regards to that.  And we do need to sit down and come up with a solution to that.  So thank you very much for your input, and we will include it in our report.  Thank you.  Gentleman at the back.

>> AUDIENCE: Thank you, Chair, for the floor.  I'll go in French.

  Thank you for this interesting theme that you have put forth so that we can be able to participate in it under the Convention of the AU there is another level on top of that.  If what Dominican Republic B ratify at country level to be good and then it has to be accepted, and sometimes we see central African region the convention on the AU must go up to the national level in their laws and this is in line with what Senegal said.

Then beyond the politics and other issues to do with a fed rating organ on cyber Governments and data protection, beyond that there is a point which hasn't been raised.  That is data and how it is protected and governed.

How should we expose Internet information to users.  We need to have new markets.  This hasn't been tackled and this is regrettable.  This is an aspect on big data and AI which is important and is going to affect things tomorrow.  How do you think this is going to happen?

Do you think that the states are going to have my data when there is no method, everyone is using it?  I can use that?  No.  We will have a real problem at the higher level.  And here I want to say how will Africa move into the fourth industrial revolution and be at the level of the other continents without this.  I thank you.

>> MODERATOR: Thank you.  I would like to ask the panel if they have any comments on the interventions so far from the audience.  Thank you.

>> PANELIST: I wanted to thank the comments on the African perspective.  We didn't talk as much about the regional level with GDPR and the European initiative.  It's very much on the plate, but the role of regional organisations and this is something I think is something to pursue further.  Thanks of the.

>> PANELIST: I do have a supporting comment to Yaga's comment.  In terms of the laws that we have and the regulations and how difficult it is really we implement it against the big, big giants.  There is no real physical address where we can deliver and notice in South Africa for Meta, for example,.

We have to travel around the world chasing them down just to get comment or whatever.  It would be the same for Twitter or TikTok.  It's a real problem, and it's something that we really need to look at.  Thank you.

>> MODERATOR: Any comments from Arturo or Pilar online?

>> PILAR FAJARNES:  I found the comments interesting, but I would like to react from the last intervention from the floor.  Really, actually, I did speak about the question of the multidimensionality of data and that data and economic resource and is really a factor for development.

So that's why we are really focusing on the report and on our analysis in the multidimensionality of data.  We have to look at data as an economic resource and also the non‑economic dimension of data that we have discussed here and also the human rights.  That's why there is a need to have a holistic view in relation to data governance because data is more than an economic resource and more than human rights, it is really involving many dimensions.  Thank you.

>> MODERATOR: We are going to move to the middle panel here and then come back.  Remember, please, there are lots of hands, lots of questions.  Anything online for us as yet?  Well take one online.  Please keep it short.  Thank you very much.

>> ONLINE MODERATOR: We have one online question.  The participant is wondering if there isn't time to form a legally binding framework for cross‑border data governance within the United Nations to prevent strategic misuse of data, national big data from countries and wondering if this framework could be, this kind of framework would help digital trust and transparency at the international level and could help the formation of an accountable framework?  He is basically asking about the cross‑border data transfer.  Thank you.

>> AUDIENCE: Hello.  Could I jump in?

>> MOKABBERI S AMIRHOSSEIN:  I would like to thank you for organising this time of this session.  I am Mokabberi from the economic community.  Is it time to form a legally binding framework for cross‑border data governance within the United Nations to prevent strategic mission use of countries for proposal by some Government and national digital platform.  And could help formation of accountability for work for dominant Internet.  It could guarantee the rights to development of Developing Countries and fundamental rights of user and prevents formation of new data colonialism.  You establish drafting process of United Nations Convention on data awareness.

At the end, I would like to request my comment to reflect.

>> MODERATOR: Thank you.  Hello.  We are sorry.  We will have to take the first part of your question.  And then we will move on.  My apologies.

>> AUDIENCE: I would like to request my comments be reflected.  Thank you very much for giving me this opportunity.

>> I will quickly shoot this down.  I don't think this will happen.  I think I alluded to this in my first introduction as well.  Very simple reason, we will never be able to agree on this.  Also anything that comes from the UNGA or any of those bodies will not be binding anyway, and if we look at, I mean, even much, much less controversial topics like disability, accessibility throughout the world, there are some of the biggest nations in the world that have not signed up to this today even though it's been in force for 40 years now, so this will not happen in my opinion.

>> MODERATOR: Go ahead.

>> .  I wanted to add there I'm not disputing whether or not a legally binding treaty is achievable, but I think the point is around the need for a global look at these issues and especially given cross‑border transfers, I think that makes sense.

We heard so many of the comments talking about the need for approaches that take into account local context, but there are fundamental principles and human rights at stake where the idea of having set principles that we want incorporated into laws and making those principles clearly articulated at a global level I think can be very influential in making sure that we have the right types of data protection across the globe from region and coherence across those approaches as well.

I agree probably not the time to push for the legally binding treaty, but I do think there is room to continue work on global key principles that can be agreed and used in data protection legislation and for oversight and other mechanisms of that sort.

>> MODERATOR: Thank you.  Arturo.

>> ARTURO‑MUENTE KUNIGAMI:  We may not be able to have binding instruments, but frameworks, agreements, I mean, the initiative that the Ambassador shared, I am going to take a deep look at it.  These kinds of instruments are the ones that can help create that as a person that raised the question data compacts or some kind of framework and initiative.

That's something that can happen.  On governance we have the intrainstitutional governance which is required, interinstitutional governance within Governments that is required.  Those two can be mandated within, of course, a country, but the intercountry, the international kind of governance, that needs to be something that requires sort of a process that maybe a little longer and will probably require the countries to be looking forward to it.

So I think that this kind of initiatives are definitely needed, but I don't see them as the previous panelist said as binding and enforceable.

>> MODERATOR: Thank you.  I will stop at this, the middle section here.  Young lady in the white.

>> AUDIENCE: Hi.  I'm from innovation foundation in Switzerland.  I wanted to build on what was previously mentioned.  It is evident that different countries are at different stages of development and adoption of data protection measures, and on a practical note, could you recommend any let's say self‑assessment, how countries can proceed or start to assess themselves where they stand on the data protection and data privacy in their own journeys?

I know that, for example, EU has the GDPR checklist for self‑assessment and I think that will be useful if you know of any other resources countries could use to self‑assess and start to look at the issue in a more standardized way.  Thanks.

>> MODERATOR: I think that's a good question.  If anybody knows of any toolkits that persons can use to make assessments on the panel.

>> PANELIST:  I think what you have mentioned as the GDPR checklist would be something that most regulators and countries are using because it is the one that we all, are all trying to align and be comparable with in order for us to have, and that's why maybe it is missing the attempt to go for a more broader framework that a lot of countries can maybe subscribe to is maybe a bit harsh but maybe trying and finding the places where we are failing and rectifying and going again in an iterative manner.

A lot of the things we are talking about today may not be for the benefit of the people sitting here.  It may be for the benefit of future generations, and we have to keep attempting.

>> MODERATOR: Anybody else like to make a comment?

>> AUDIENCE: My name is Ismail from Gambia.  I have a question with regard to questions like Uganda that doesn't have data regulation, data protection regulation at hand, but still, they are still collecting data regards to digital IDs, biometric information, so on so forth.

So I am asking what are the approaches that we could use either at UN level or civil society level, actually the process of those Governments with those regulations, because I think they are not going to stop collecting the data and lack of regulations is a problem.  Thank you.

>> PANELIST: What I have seen in the past around the world is that in election time, we all vote on taxes or education or on defense policy or anything like that, and perhaps we should rather consider the digital angle of all of these different topics.  So one of the things that I would encourage you and everyone else in the room to do myself very much included next time that we go to the polling station, we think not just about specialist topics but also about the digital implications and if you feel like there is a political party or a movement that drives data protection privacy more strongly than others, then that might very well be worth supporting.

>> MODERATOR: Benga and then Peggy.  Thanks.

>> BENGA:  Just reacting to Gambia, there are two things I want to say, number one and I hope you are aware there is an ongoing process.  The reality is there are Governments who deliberately do not prioritize protection because what that means is then they are admitting that many of the processes, they instituted become illegal.  I gave some examples earlier, and assuming the examples, at least 11 countries where they do know that mass biometric data collection is illegal.  It's not proportionate, it's not legal, it's not necessary.

So there is no incentive to put together legislation to call themselves criminals.  Why would you want to do that?  That's one.  The second thing is I think you as a citizen regardless of the setting you are in, you need to hook up with other people in the country, and I'm not speaking just as Gambia now.  It is our responsibility as data owners to push back.

This is why I say that we are going, it's going to get more complex.  We are going to gather more data.  We don't even know what we are going to talk about next.  We are going to get more data and we need to push back and ask for data minimalization.  We need to stop giving data that is not necessary.  Some would mean you have to ask more questions, but I would encourage that, please, link up with other people in Gambia, specifically, given one project or another we are working on data protection so that the process can move on and we need to make it obvious to Governments why this is also a win for them.

Politicians will do their things that will help them win the next election and you have that opportunity in Gambia in particular.

>> PEGGY HICKS: Just picking up on Benga's point, absolutely.  I was going to emphasize that you do have to look at why the data protection regulations and bodies aren't in place.  And address those barriers.

Sometimes it is, and we talked about needing good models, having good resources to put things in place, and we should all support that to happen, but the reality is there are other barriers, and sometimes they can be political as has been talked about.

I want to emphasize that even when national laws aren't in place, international human rights obligations still apply, and that means that when Governments or others are collecting and using data in ways that violate the right to privacy, we have a human rights abuse, that can and should be taken up by international human rights bodies and just two examples of how that might be done.  One is through the Universal Periodic Review where each country is reviewed by the Human Rights Council.  Questions can be asked by other states about what is the status of your data protection law and how are you moving forward on these issues, and that's proved a useful way to push for legislative reform on a number of issues in various countries.

The second thing I would mention is the special procedures system, for example, there is a Special Rapporteur on the right to privacy and communications and other interventions can be sent talking about violations of the right to privacy in the state to which if the Rapporteur picks it up, the Government will need to respond to that as well.  So there are a variety of different mechanisms using international human rights law that might be useful.

>> MODERATOR: Thank you very much.  Usually we ask each panelist to give a wrap up, but I think we had a good rapport going on and the conversation and dialogue is being good.  So I will let the one last patient question from the young lady here, and it has to be like 30 seconds.

>> AUDIENCE: Yes, thank you actually.  My question has been asked by others, but just a quick question, after seeing the current FDAs we set up as a basis to develop a global framework for data flow.  Is that accurate enough or should it be a base foundation for us to build on for global framework?  The FTAs and the WTO negotiation.  That is my question.  Thank you.

>> MODERATOR: Anybody want to get that in the last 30 seconds?  I want to thank my panelists for a fantastic job.  And the audience both online and on site.  You kept everything going, I think, a lot of you have a lot of takeaways that you can use, and I think the biggest take away that we can go with is that we are ourselves, we, the owners need to make the difference with regards to data governance and protecting our privacy.  Thank you very much.