Internet data protection under different jurisdictions

Event report

The panel explored the existing data protection regulations and discussed ways to make user data better protected.

Due to the nature of the Internet, there is cross-border data transfer that brings an international dimension to the data debate. Globally, there are data protection concerns and therefore there is a need to discuss how user data can be protected. As each, jurisdiction makes its own laws, which are conflicting at times and therefore there is a significant challenge to make these regulations harmonious. In this context, Mr Leon Sanchez (Board Member, ICANN) highlighted the difference in approach between the General Data Protection Regulation (GDPR) and the Mexican Data Protection Law in distinguishing between natural and legal persons. Such differences in approaches in data processing will continue to pose challenges when dealing with cross-border data. To address this issue, he suggested the establishment of data protection agreements between countries, the establishment of exceptions, and the attempt to avoid extraterritorial jurisdiction.

The influence of the European GDPR on the data protection laws of North Africa was highlighted by Mr Mohamed El Bekri (IT Engineer, Data Protection Authority CNDP, Morocco). However, he mentioned that in some areas the laws are modified to the local context. He also pointed to the disparity of laws between countries in the region, hoping that in the future, there will be more convergence in laws with some regional integration.

Ms Dima Samaro (Policy Analyst-MENA, AccessNow) expressed concern  about privacy breaches in the MENA region (Tunisia, Jordan), noting that  most North African privacy laws do not have the right to remedy, liability, lack accountability. To protect users’ rights, she stressed the importance of enforcing data protection laws. She suggested that while implementing global laws, the regional context needs to be taken into consideration.

Dr Farzaneh Badii (Research Associate and Director, Social Media Governance Initiative, Yale Law School) discussed how jurisdictional differences impact users. She highlighted the need to analyse what sort of laws and practices affect the Internet globally, the interplay with Internet institutions and their landscapes, and what sort of jurisdiction may actually affect the Internet and users globally. In this context, she cited the example of the Internet Corporation for Assigned Names and Numbers (ICANN), which published the user data until the GDPR entered into force, after which ICANN asked the registries and registrars to protect the sensitive data of people of Europe. However, changes in ICANN’s policy in line with European regulations have affected the Internet users across the world.

Asked whether an international framework or an instrument can address the issue, Badii and EL Bekri replied negatively.

Mr Tijani ben Jemaa (Engineer, ICANN) proposed the creation of some common principles around which everyone makes an agreement agrees and then start from there. To protect user rights, Sanchez suggested creating a single framework with principles and basic definitions and understanding the processes and controls. Badii suggested that when people are affected by the practices and laws of a specific region or country, that needs to be addressed.

There is a need for a universal access and then for the definition of the global Internet citizenship and the national Internet citizenship, an online equivalent of the Universal Declaration of Human Rights, argued Mr Sam Lanfranco (Partner, The Brocas Group). He added the need to define the principles, integrity of business practices, social practices, government practices, and integrity in the Internet ecosystem.

To protect user data globally, Badii suggested focusing on global frameworks and not relying on a single national law. Dr Joanna Kulesza (Professor, International Law and Internet Governance, University of Lodz, Poland) pointed out that, since there are already the existing frameworks in place, such as the GDPR, the international treaty that protects personal data contained in the Universal Declaration of Human Rights, as well as the OECD guidelines that deal with how privacy of data can be protected, there is no reason to create a new framework or new instruments.

Lanfranco and Sanchez proposed the adoption of a multistakeholder approach. Lanfranco added the need to build on what we have, using a multistakeholder model. There is a need to define principles, rights, and duties of a global citizen. He cited the example of the international agreements of the International Labour Organization, where the multistakeholder model produces the recommendations that then become multilateral agreements. Kulesza suggested reshaping the multistakeholder model to make it better, and felt that co-regulation may be a workable approach.