Consumer data rights from Japan to the world | PART 1 | IGF 2023

8 Oct 2023 04:45h - 06:45h UTC

Event report

Speakers and Moderators

Speakers:
  • Amy Kato, Consumers Rights Japan, Civil Society, Asia
  • Sheetal Kumar, Global Partners Digital, Civil Society, Europe
  • Minako Morita-Jaeger, University of Sussex, Academia, Western Europe/Asia
  • Diego Naranjo, European Digital Rights Initiative, Civil Society, Europe
  • Lisa Garcia, Foundation for Media Alernative Philippines, Civil Society, Asia
  • Toshimaru Ogura, Japan Computer Access Network (JCA-NET), Civil Society, Asia
  • Damar Juniarto, SAFENet Indonesia, Civil society, Asia
  • Masayuki Hatta, Movements for the Internet Active Users MIAU Japan, Civil Society, Asia
  • Shoko Uchida, PARC Japan / G7 Civil Society lead, Civil Society, Asia
  • Melinda St Louis, Public Citizen, Civil Society, North America
Moderators:
  • Javier Ruiz Diaz, Consumers International

Table of contents

Disclaimer: It should be noted that the reporting, analysis and chatbot answers are generated automatically by DiploGPT from the official UN transcripts and, in case of just-in-time reporting, the audiovisual recordings on UN Web TV. The accuracy and completeness of the resources and results can therefore not be guaranteed.

Full session report

Javier Ruiz Diaz

Javier Ruiz Diaz, a respected Senior Advisor working on Digital Rights for Consumers International, is actively encouraging collaboration around data governance within the culturally rich and diverse Asia-Pacific region. Consumers International is a global coalition comprising a collective of 200 member organisations that span an impressive 100 nations. This influential group elicits a positive sentiment in its vision of fostering metaphorical harmony in the approach to regional data governance.

Diaz acknowledges the potential of the Asia-Pacific region; its unique position as a cradle of technological innovation and a hub for emergent consumer and digital rights organisations will enable it to contribute priceless ideas and proposals. This untapped capacity has spurred the need for discourse and collaboration within data governance. Accordingly, Diaz is observed fervently advocating for the greater inclusion of this region in global dialogues on data governance, assured of its meaningful potential contribution to the dialogue.

Simultaneously, Diaz is organising a proactive follow-up intervention. This initiative seeks to bridge the gap between consumer and digital rights organisations and policymakers, creating a unified approach to further discussions about data governance in light of rising concerns about consumer rights in the digital era. This collaborative approach aligns harmoniously with the guiding principles that map to the Sustainable Development Goals (SDG 16: Peace, Justice, and Strong Institutions), and mirrors a commitment to establish a robust regulatory framework in digital policymaking efforts.

In summary, the evolving narrative underscores Diaz’s pivotal role in creating innovative partnerships in data governance. It highlights a resonance with SDG 16, advocating for just practices in regulatory landscapes, further solidifying his commitment to peace, justice, and strong institutions. Moreover, his initiatives in synchronising collaborations with SDG 9: Industry, Innovation, and Infrastructure bear testament to his dedication in advocating innovative solutions that pave the way for sustainable infrastructural development.

Amy Kato

Review and Edit: Check for grammatical errors, incorrect sentence formation, typos, or missing details, and make necessary corrections. Ensure UK spelling and grammar are being used in the text, and correct it if not. The expanded summary should mirror the main analysis text as closely as possible. Ideally, include as many long-tail keywords in the summary as fitting, without compromising the summary’s quality.

NAN

The Indo-Pacific Economic Framework for Prosperity (IPATH), a confidential agreement involving 14 nations and governed by the U.S., has drawn much attention due to its significant implications for digital trade, data privacy, and data protection.

IPATH is projected to conclude by November 2023 and has a critical commitment to enforceable cross-data flows. This key aspect has instigated apprehension, as it is perceived as a significant barrier to enhanced data privacy and security. Critics suggest that these enforced requirements could disrupt protective measures for cross-border data transfers, undermining privacy protections; therefore, posing substantial barriers to data privacy and security. This could lead to data being transferred to countries that lack stringent data protection measures.

A contentious aspect of IPATH is the forced non-disclosure of source code and algorithm details. Critics argue this might lead to algorithmic discrimination whilst undermining transparency and accountability. Such restrictions could impede independent verification of how software functions, profoundly impacting the trajectory of AI regulation at regional and national levels.

NAN, a participant in the IPATH negotiations, has expressed its opposition to the initiative. NAN highlights the potential for U.S. control over data flow and transparency in AI and coding, deemed detrimental to Southeast Asian and South Asian countries’ interests. The inclusion of U.S.-Mexico-Canada Agreement (USMCA)-like provisions within IPATH, according to NAN, could limit regulatory options and subject data to the lower-standard data protection norms in the U.S.

In conclusion, although IPATH is promoted as a means to boost prosperity in the Indo-Pacific region, its potential consequences in terms of data privacy, protection, and digital rights have elicited considerable anxiety and resistance. Use of UK English verified; no grammatical errors, typos or omissions detected.

Jam Jacob

Launched in 2011, the Asia-Pacific Economic Cooperation (APEC) Cross Border Privacy Rules (CBPR) system was set up to oversee data governance and privacy. However, it exhibits limited efficacy, supported by the fact that only 9 out of the 21 member economies choose to participate to date.

The certification process for CBPR consists of several phases, beginning with a self-assessment stage, proceeding to an assessment by the accountability agent, followed by a recommendation phase, and culminating in the awarding of the certification.

Nonetheless, the CBPR system has drawn substantial criticism. A prime concern is its inherent tie to the privacy framework established by the Organisation for Economic Cooperation and Development (OECD) in the 1980s – a framework now considered outdated by many. This correlation gives rise to uncertainties about the system’s aptitude to adapt to the fast-evolving digital landscape.

Additionally, the high costs associated with obtaining a CBPR certification – a sum ranging from $15,000 to $40,000 – serve as a deterrent for smaller or less financially well-off organisations to participate.

Further complicating matters, civil society’s inadequate representation in CBPR dialogues and decision-making processes results in a governance approach that is largely market-driven. This flaw could result in the overlooking of broader societal interests and concerns.

In 2022, the more encompassing Global CBPR Forum was introduced. This entity has a wider operational remit compared to the APEC CBPR, leading to speculation that it may render the traditional APEC CBPR system obsolete.

If the Global CBPR Forum indeed offers more thoroughgoing and effective data privacy solutions, it may precipitate a significant shift in the data privacy and governance landscape. However, further research and observation are necessary to verify this potential outcome.

In summary, the APEC CBPR system – although launched with laudable intentions – appears to be encumbered by several key shortcomings, including high costs, limited adoption, linkage to an outmoded privacy framework and underplaying of civil society. Emerging platforms like the Global CBPR Forum might provide alternatives and potential enhancements in the future.

Pablo Trigo Kramchak

The Digital Economy Partnership Agreement (DIPA), a ground-breaking trade agreement, has sparked considerable debate due to a range of features it encompasses. It has been noted that DIPA ostensibly mirrors the provisions of the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP) with respect to cross-border data transfers. Effectively, the DIPA rules that oversee cross-border data flows mirror those of the CPTPP provision for cross-border information transfers. This alignment is evident in the DIPA’s provisions concerning data flow regulation, as stipulated in Article 4.3, which confirms the parties’ commitments that were embodied in prior agreements.

Another pivotal element in DIPA discussions is its pronounced alignment with the United States’ data governance model. The provisions of DIPA exhibit significant conformity to the approach the United States advocated during the Trans-Pacific Partnership (TPP) negotiations, which formed the basis of the CPTPP agreement. The potential implication of this alignment is that broad acceptance or replication of these terms could effectively result in a de facto standardisation under the American data governance model, according to some critiques.

In spite of its status as an innovative instrument among Free Trade Agreements (FTAs), DIPA has garnered critique for its apparent lack of progress in terms of cross-border data flows. Critiques propound that DIPA fails to carve out a new path in this sphere as it doesn’t lay down minimum standards for personal information protection, instead advancing interoperability via the adoption of voluntary self-regulatory approaches.

Further, due to its reflection of older agreements, the accord could create significant challenges for countries not part of the CPTPP. Consequently, these nations may find complying with DIPA’s terms particularly challenging.

In conclusion, despite its original intentions, DIPA has provoked contention due to its firm affirmation of past agreements, lack of novelty in terms of cross-border data flows, and echoing of the US data governance model. The concerns raised offer valuable insights into the possible implications of broad acceptance or replication of DIPA’s terms, underscoring the necessity for further discussion and careful evaluation.

Minako Morita-Jaeger

In this comprehensive analysis of global data governance models, three predominant approaches are identified, each exemplified by a unique geopolitical entity – the European Union (EU), the United States (US), and China. The EU, focusing on a human-centric methodology, places emphasis on the protection of human rights, fair competition, and effective moderation of platform content. Conversely, the US’s philosophy favours a less intrusive government role and is predominantly market-led. Lastly, China’s state-driven model seeks to establish technological dominance, promote data sovereignty, and exercises robust government surveillance.

When examined from an International Trade perspective, trade agreements frequently prioritise the unobstructed flow of data across borders. This dedication to free data movement presents a significant challenge when attempting to harmonise with critical aspects such as data privacy, fair competition, and intellectual property rights: elements potentially compromised by free data flow agreements.

It’s equally noteworthy to observe the stark disparity in domestic data governance policies among countries aligned within the same trade agreement. This nuance is evident among signatories of the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP), where countries like the UK demonstrate superior regulations, responsibility towards use policies, engagement with stakeholders and adherence to international norms, in stark contrast to other signatories such as Chile, Malaysia, Peru, and Mexico.

The pursuit of promoting free data flow with trust is a formidable challenge. As a response, some advocate for more grassroots, multi-stakeholder engagements. Currently, data protection is often viewed as an impediment to market access within the framework of trade agreements. This varying interpretation of ‘Free Data Flow with Trust’ underlines the complexity and vast scope of challenges confronting global data governance. In essence, these disparate understandings demonstrate the significant hurdles on the path of responsible and efficient global data governance.

Paula Martins

Paula Martins leads the Association for Progressive Communications (APC), a global networked organisation with 103 members in 74 countries. APC primarily focuses on social, environmental, and gender justice while interweaving technology and data governance. Besides its primary members, APC also partners with environmental and gender organisations that tackle digital issues, positioning data as crucial to a spectrum of operations.

The advocacy and implementation of appropriate policies are central to APC’s work across various regions, thus making data pivotal to their actions. APC has an expansive reach, made evident by their 24 affiliates in Asia, underlining their impressive global presence.

APC has formed a strategic alliance with Consumers International. This collaboration aims to broaden an understanding of data governance within their sphere of operation. The central objective of the partnership is to enhance information sharing regarding progress in regional data governance and to foster an environment that encourages networking among partners. This joint venture seeks to identify and act upon opportunities that would further their comprehension of data landscapes and contribute directly to targeted Sustainable Development Goals (SDGs).

Their SDG focus includes Gender Equality (SDG 5), Industry, Innovation and Infrastructure (SDG 9), Peace, Justice and Strong Institutions (SDG 16), and Partnerships for the Goals (SDG 17). By aligning their work to these specific development goals, APC is poised to make a significant impact in the fields of technology and data management, coupled with a commitment to essential sectors like gender and environmental justice. This positive action towards digital rights and data governance, combined with their capability for collaboration, characterises the current landscape in which APC operates.

Session transcript

Javier Ruiz Diaz:
Thanks a lot for bearing with our last technical checkups. So my name is Javier Ruiz, I’m a Senior Advisor on Digital Rights for Consumers International. It’s a global coalition of consumer organizations from all around the world. We have 200 members in over 100 countries. And we are here today together with Consumers Japan and the APC, the Association for Progressive Communications. And we put this workshop together to, as you saw, to try to start promoting some collaboration in the region around the issues of data governance. Because as we see, the Asia-Pacific region has got a lot to contribute, and it’s got a lot of ideas and proposals for how data should work, which are quite influential globally. And we think that we want to see more discussion from consumer groups and grassroots organizations on this topic. And also to connect these debates with some of the discussions taking place as well. So we have some colleagues here from Austria and from elsewhere coming to also talk about what’s happening. So I’m going to let Amy Cato to introduce Consumers Japan, and then Paula. And then after the brief introductions, we will start with the speakers. And just to give a very brief order of the day, we are not going to keep a totally regimented timetable. We are going to try to be flexible, depending. But the idea is roughly that we are going to have one hour of presentations and discussion on the various data governance initiatives and policies that are taking place in the Asia-Pacific region, which includes the cross-border privacy rules, the IPF, DEPA, Digital Economic Partnership, and similar. Then we will have a second block of roughly, possibly an hour, although we may start getting shorter as we go along, looking at national context and what is happening in Japan, what’s happening in Korea, and what’s happening in other countries in the region. And then the final block would be more like a collective discussion to try to organize some follow-up intervention. So one of the things that we want to see is not just a discussion here today, but trying to get some idea for where consumer and digital rights organizations should intervene, trying to engage with the policy makers on these topics. So I will let now, just after a brief overview, I will let Amy Kato. You want to just introduce Consumer Japan?

Amy Kato:
Hi, my name is Amy Kato from Consumers Japan. Thank you.

Paula Martins:
Hello, good afternoon, my name is Paula Martins. I am Policy Advocacy Lead and Program Manager at the Association for Progressive Communications, APC. APC is a networked organization. We have members and associates in 103, I’m sorry, I’m going to start again, because I’ve really got confused with the numbers, so bear with me, it’s jet lag. So APC is a networked organization, and now I’m going to get the numbers right. So what we have are 103 members and associates in 74 countries. Apologies for that, including some of which are here in the room today and collaborating with this conversation. We have 24 members in Asia. Most of these members are in the global majority countries, and they are very diverse members. We all work on the intersections between social, environmental, and gender justice, and technology. So they are, broadly speaking, digital rights groups, but they really are diverse in terms of the focus that they have in the work that they are doing at the national and the regional level. Data is key to a number of them in different ways. So you have gender organizations, you have environmental organizations, looking at digital issues where data is a critical element of the advocacy and the policy, the capacity building that they are doing. So this is central to the discussions that are taking place within our network. And we were really happy to join efforts with Consumers International to put together this session. Our view, our idea is really to create a space to share info, to learn more about what’s going on in relation to data governance in the region. But also to promote more synergy, including among us, and the idea of bringing together our networks, our partners working on consumers’ rights and digital rights, so that we can explore concrete joint actions, maybe following up to this discussion. So thank you all for being here and joining us today. It is a pleasure to be here in Kyoto.

Javier Ruiz Diaz:
Thank you, Paola. So now, our first presentation today is going to be Dr. Minako Morita-Jager, who’s a senior research fellow on international trade at the University of Sussex in the United Kingdom. And she’s going to give us an overview of the data governance based on her research. So please, Minako.

Minako Morita-Jaeger:
Thank you, Javier. My PowerPoint. Yes, lovely. And then you can, yeah, and you can change it when I, I mean. Can you just wait, please? Then maybe, I can, okay, thank you, yeah. Good afternoon, everybody. My name is Minako Morita-Jager. I’m based in the UK. I’m still, I just came to Japan two days ago, and I’m still suffering jet lag. If I fall in sleep in the middle of my talk, give me a shot, but very gently. Please. So I’m going to just give you a very, you know, that wide picture of what is going on at international level. So I’m working at the University of Sussex. Also, we have that kind of think tank with a co-established together with the Chatham House. We have the UK Trade Policy Observatory, where I’m doing the research policy, policy research for that. And then also that the Center for Inclusive Trade Policy. We are promoting trade policy for all stakeholders equally. Because I’m trade policy expert, I’d like to just explain that kind of the linkage between the data governance and trade as well. First of all, I think you know very well, but what is data governance? And the definition here is maximizing opportunities while protecting the rights. That is the governance. And then, but according to World Bank, sorry, it’s not from the United Nations, but not only good data management, but establishing norms and rules about rights, principles, and obligation around the use of data. Multistakeholder approach is a key for the data governance. This is why we are gathering here today. So when we think about data governance, so this is a kind of welcome to the world of tech hegemony. So there, well, in academia, we had a kind of general understanding of the three types of data governance. First, it’s the left side, the EU. This is a human-centric approach of human rights. It’s a fundamental right of the EU constitution. And they just, the EU is more kind of the promoting the, you know, the more for protecting the human rights, and then also the fair competition, and then platform content moderation. So that all stakeholders equal the benefit from the digital economy. And the opposite or the kind of sort of the contrast is the US type of approach. This is market-driven approach. So that gives really minimum or almost zero in the government intervention, and the market everything, and giving the kind of freedom to conduct business. So free economy, digital economy. And then giving the kind of self-regulatory framework regime. That is, but a base of the, you know, principle here is free speech. It’s not a little bit different type of approach, you know, in comparison with the EU. It’s a free speech. It’s not human rights, but a free speech is a really key for the United States. And then government is kind of taking sort of the partnership, very close partnership with the big tech companies to promote this digital economy strategy. Then lastly, China. China takes the state-driven approach. The government seeks to achieve the technological dominance at the international level, and then promoting data sovereignty. That means the, well, the Communist Party, China Communist Party, really promoting strong surveillance over its citizens. And then sort of control people’s freedom for the sake of the political agenda or propaganda. So this is the three types. And they are fighting each other horizontally, and then also vertically. For example, because of tech hegemony, the American companies doing business in China, fighting with the Chinese government, or just give up market, Chinese market coming back to the U.S., or vice versa, and then Chinese companies in the U.S. have to be, to give up the U.S. market because of this enhancing, very increasing technological rivalry between China and the U.S. So the one thing that’s, in addition to these three major type of the data governance we see on the other international level, I also would like to add the one more kind of the group, which is Asia-Pacific countries. That is, I would say, the Asia-Pacific country is taking the trade-centric approach, I will say. Then that means, over the last several years, like Australia, Singapore, New Zealand, and also Japan, and then Korea, promoting the digital trade agreements or digital trade chapter inside the free trade agreements, and then try to promote free data flow. But the difficulty here is because of trade agreement is something that promoting trade, it’s really the real priority. So the balance with the data privacy, fair competition, intellectual property rights, and that’s really sort of the second layer of the objective. And then that what is they are so far creating the FTA is really focusing on the free data flow and openness does matter. So that means now that we are talking about from this morning, Minister Kono Taro, that Minister Taro said, well, data DFFT, data free flow with trust, and that is really sort of, it’s not compatible from the trade policy perspective. This is more from the data free flow, per se. So trust, how to just create trust under the trade framework is really now getting to the very difficult point. I think then other speakers may just talk more about the free trade agreements later. But the thing I would like to say is, as I said, that there is a three type of data governance at international, US, EU, Chinese time. But this market-driven approach is something that from 1990s, US government, that time is Clinton’s administration, promoting internet freedom agenda. And then that’s really embedded in the trade agreement, like the one thing is, for example, CPTPP, the provision is drafted by Google, actually. And so this is really the tech giant is what I would like to do is this way, is really written in the CPTPP. So this CPTPP became the base of the digital trade agreements these days. So when we just look at the international perspective, there’s a trade agreement, which is a sort of the given transparency. But on the other hand, the market-driven approach, and when we look at the countries by countries, even having the countries among the countries which had a very sort of deep digital trade provisions, they are taking completely different approach in terms of domestic data governance. For example, when we look at the regulatory perspective, this is a left side up. This is a sort of government’s legal regime around data uses and then reuses. For example, CPTPP, FTA, recently United Kingdom joined the CPTPP. But comparing with other CPTPP members, regulatory framework that the UK is really the best, and then especially the data governance, European countries have very good quality or the high quality data governance, so that the UK is really the top among the CPTPP countries. When we look at the responsible, look at the UK is really 100%, but other countries in the CPTPP is almost nothing, especially like in emerging countries, like such as Chile, Malaysia, Peru, Mexico. It’s really they don’t have the responsibility. They don’t promote such as a data charter, responsible AI initiatives and so on. They don’t have this kind of the law or regulation inside the countries. When we look at participatory, this is a stakeholder, to what extent wide variety of stakeholders participate in the policy making. Again, the United Kingdom is 100% and in Australia, New Zealand, somehow that Canada is more transparent, but other countries, not really. The stakeholders that cannot participate are not fully, or not at all participating in trade and data governance making. And then finally, international level, this is to see to what extent the government join efforts to establish shared governance rules, like convention, the Human Rights Convention. Again, here, even in Singapore, which is really the lead promoter of international trade agreement in this chapter, they are lacking the kind of human rights protection perspective. So, what I’d like to say is that today, the free data flow with trust is something that is very important, but still political level. And when we look at the domestic level, also the horizontal battle between the three major giant is in practice promoting or implementing free data flow with trust is very difficult and especially the role which trade agreement plays is very limited and also given a kind of the challenging the way that the WTO free trade agreement is more that looking at human data protection is a sort of the way to just the non-tariff measures we say the obstacle for the market access so we don’t know this is why that we have to think about how we promote free data flow is trust was why the variety of stakeholders engagement so interoperability is something that we really have to start or promote from the bottom-up level it’s not a top-down but the norms and then after date free data flow with trust is also the very different interpretation among countries so I stop here

Javier Ruiz Diaz:
so thank you so much so Minako has given us an overview of the issues around data governance and particularly as she has described you know how connected they are to digital trade which is one of the really important frameworks to understand this space now we are going to start going through some of the main data governance spaces and initiatives in the region and now Jamel here he’s going to give us an overview of the CBPR so I’m going to change the slides here

Jam Jacob:
thank you Javier and good afternoon everyone so my name is Jam Jacob I’m from the Philippines and I’m here representing the foundation for media alternatives it’s a civil society organization working on the shared space between human rights and technologies so as Javier mentioned my task for this moment at least is to provide an overview of the Asia Pacific Economic Forum’s CBPR system or cross-border privacy rules system which is one of those mechanisms currently in place that’s supposed to regulate in some way the flow of information personal data in particular so we are we were we have been talking about data governance so as far as the APEC CBPR is concerned it’s it zeros in on one aspect of data governance which is the flow of information so briefly the CBPR is actually the as I mentioned was developed by the APEC it was launched basically around 2011 and it is still currently in place but as I will be discussing in a bit its future actually is quite in question given this other system that has just been launched in the middle of last year so what is the APEC cross-border privacy rules system so in a nutshell it’s a certification system developed by the 21 member APEC group and the objective here is essentially to facilitate the free flow of information so that’s a familiar phrase that we’ve been hearing so far during our short time here today to facilitate the free flow of information at least among those economies participating in this particular system free flow while at the same time ensuring there is supposedly adequate data protection or data privacy measures so how does the APEC CBPR system work so if you are an organization that’s based in any of these at least nine member economies currently participating in this system you can get yourself certified rather and by doing so once you become certified you are essentially able to at least this is the idea you are essentially able to transfer personal data to another certified organization in another APEC economy that’s participating in the CBPR system so that’s essentially the benefit that you get if you become certified now how do you become certified it’s essentially through an assessment and this assessment has two components the first one is basically self-assessment you are given a questionnaire as an organization you are given a questionnaire by one of these so-called accountability agents and the objective of this questionnaire is to determine how much your data protection policies and practices measure up or are aligned with the so-called program requirements so this program requirements of the CBPR system we can more or less look to them as the standards against which all certified organizations are assessed or are evaluated and then once you are done accomplishing this questionnaire you turn it over to the accountability agent and this accountability agent also performs an independent assessment so more or less it verifies or checks how accurate your own self-assessment was in terms of your ability to meet the so-called program requirements then after this two-part process if the accountability agent is satisfied it recommends that your organization be granted or be given such certification so it recommends to the APEC body that that group within the APEC to provide you with that certification and then once that is done your name as an organization and a few other details pertaining to your certification is displayed on the APEC website now just two other things to complete I suppose that picture is who are these accountability agents they may consist of private entities as well you apply to become an accountability agent with your with your government or whoever within the within your country is responsible for your country’s part or your economy’s participation in the CBPR system it is possible for a government agency to become an accountability agent so that is very much an option as well and then finally how do you become as a as an economy how do you become a participant to this system you also apply to the APEC privacy subgroup and they screen your your application I don’t think it’s that complicated we don’t have enough time to go over the specific requirements but suffice to say it has its of four requirements as a country as an economy if you want to participate you comply with those four requirements and that essentially jumpstarts the process of you joining this particular system so next okay so given that this is how the CBPR system works what have parties so far seen as the so-called benefits of participating in this system for proponents certainly they say that by taking part in the system as an organization you are able to present some tangible proof that you are at least committed to upholding data protection or data privacy within your organization and specifically when you carry out data transfers across borders it helps also as far as governments are concerned this supposedly benefits them as well because it more or less identifies which are those organizations that have that are more or less likely to comply with their own respective data protection laws in any given particular country that’s participating in the system second is it creates a common set of standards as we all know now while the GDPR stands out certainly among this growing number of data protection laws around the world there is that clamor already to have one set of standards so as to make compliance especially among businesses organizations easier so by having the CBPR system in place those so-called program requirements there’s they represent that common set of standards of course whether those standards are effective or insufficient that’s a different conversation altogether and then finally proponents say that this system this mechanism is good because it does not disrupt local regulatory environments and by that we mean if you have a date for example if you use Japan as an example Japan has its own data protection law by participating in the CBPR system it does not in any way change the regulatory requirements of the of the domestic data protection law if you are required to perform or to observe specific regulatory obligations none of those change you are still required to comply with all of those things even if you are a Japanese organization that is certified under this particular system now with those as benefits critics and other observers also have noted a lot of issues or problems with this particular system one is it’s in a it does not actually provide adequate data protection the CBPR system has the APEC privacy framework as its main guidance document if you will and the APEC privacy framework is essentially rooted in the OECD fair information principles which dates back to 1980 if I’m not mistaken and as pointed out by a lot of critics while the OECD principles have actually been updated I think it was in 2013 the APEC privacy framework has not it has remained stagnant since it was developed around 2003 or 2004 so there’s that and then you have this small buy-in among even the APEC members so APEC has 21 members and only 9 currently are participating in the CBPR it actually has a partner system which is the privacy recognition for processor system and in that part and that one focuses on data processors and that one only has two participants I think that would be the US and in Singapore so I guess that that’s that also shows or is indicative of how effective this system is if even among APEC members that even half see it fit to participate in this mechanism so what signal does it provide to to others it lacks positive influence on domestic laws I think many would consider the GDP as currently the gold standard as far as data protection laws is concerned and this much is evident when we see all of these new data protection laws cropping up all over the world and certainly in our region in Southeast Asia and the influence of the GDPR is very much evident but because of the nature of the CB of CBPR of APEC CBPR wherein it does not supposedly change any of the existing data protection laws and does not compel any government participating in the system to change their existing data protection laws so it has very limited positive impact as well there is that under representation of civil society so while this is mainly backed by the government it requires significant participation by the private sector especially when we consider that accountability agents actually are mostly part of the private sector themselves and civil society is mostly left out of the conversation so if we are talking about the three types of data governance mentioned earlier one would think that civil society would be the ones to push more for a human rights centric type of governance but because they are left out of the conversation for the most part we have we see the second type of governance more evident here which is the market driven one. As far as the legality and enforcement of legal challenges it also the issue here also can be traced to the APEC itself because the APEC unlike other regional organizations it has no chart it has no constitution to speak of it’s not a treaty so any mechanism it develops is mostly consensus based so there are no existing mechanisms that would really a strong mechanisms at least that would really compel governments to abide by the requirements of this system and more so those organizations actually certified under this system. And then there is the question of fragmentation this is actually quite ironic in the sense that proponents of the CBPR system because they say that it creates a common set of standards they say that it tends to solve or at least helps avoid fragmentation by providing that common set of standards but if you look at the CBPR itself because it is focused only in data controllers and you would require another system the PRP I mentioned earlier to also deal with data processors so it is also inherently fragmented unlike other systems or mechanisms in place that already takes into account data controller data processor relationships and all these different permutations. And then finally there is that issue of cost it’s not actually cheap to get yourself certified and it’s not and it was not very easy for us to look for actual figures to determine how much it cost but there is this at least one accountability agent based in the US that provides a rough estimate so they say that it takes an organization over there between $15,000 to $40,000 to get itself certified. In Singapore they only provide the $400 amount to as I think it was an application fee but the assessment fee itself there is no figure that we were able to secure to provide again a general estimate of how much it cost to get yourself certified for instance if you were in Singapore. And before I end I would allocate just this one slide about the global cross-border privacy rules forum. So why is this relevant when we’re talking about the APEC CBPR? Well as I mentioned earlier this was established just last year in 2022 and it is important because it is essentially a replica of the APEC CBPR system and its partner system the PRP systems. Very much a replica in the sense that the same countries who are now participating in the APEC CBPR are actually the same countries also behind the establishment of the global privacy rules forum with the exception of Mexico. And then all its elements at least so far because they are still in the process of developing it with additional details so far what we’ve seen is that all the different mechanisms the elements of APEC CBPR have also been transplanted to the global forum. Even the accountability agents recognized under the CPPR they will be automatically recognized also under the global CBPR forum. There are some small or changes or differences like in the forum they now recognize two types of participants. You have members and then you have associates. are essentially economies or countries that are looking to become members but are not yet immediately ready to do so, and the example we have right now is the UK, who have actually not just signified, I think, but they are actually, if I’m not mistaken, already an associate of the Global CBPR Forum. So that’s essentially why this is critical, or at least a very important part of the conversation, because if the Global CBPR Forum actually progresses, the question of sustaining still the APEC CBPR becomes very valid, why still maintain the APEC CBPR when you already have this system, a new system which is broader in scope, in operation. But for the moment at least, these same countries behind the APEC CBPR and Global CBPR Forum make it very clear that these two systems are independently operated. So supposedly they do not affect how the other operates, but yeah, we’ll have to look again at this particular situation in the future, depending on how much things progress as far as the Global CBPR, Privacy Rules Forum, what happens to it. If you are interested more in additional details about the APEC CBPR, and to some extent the Global Privacy Rules Forum, we already have the report available on that URL that you can see on the screen, and you can download it later.

Javier Ruiz Diaz:
Thank you. So yeah, we will share with all of you, we’ll put those URLs in the Zoom, and we’ll also share them with you at the end of the meeting if you want, we’ll give you all the URLs. So this was a look at the CBPR, which is one of the systems that is trying to become a global standard for data. Now we are going to hear another presentation for another system that is not, I mean it’s not the same, but it’s also being used as an example for what could be an approach to global data governance, which is the Digital Economic Partnership Agreement, the DEPA model. So we are going to have a presentation coming in online from Pablo Trigo-Kramchak, who is going to speak from Chile, and I think he will be joining in directly, so I think I’m just going to switch off this mic as soon as we confirm that we got their audio.

Pablo Trigo Kramchak:
Can you hear me? Okay, Javier? Yes, I think we can hear you. Can you hear me? Javier, can you hear me? Yeah, I don’t. Okay, great. Yeah. Okay, thank you. Thank you very much. Well, my name is Pablo Trigo-Kramchak, I’m a researcher at the University of Chile Faculty of Law, and I’m going to present some, briefly, some of the elements and findings of a report that we have prepared on the Digital Economic Partnership Agreement on its approach to cross-border data flows. It just, well, this study has been developed thanks to the support of the Digital Trade Alliance. Well, first, some context. In the modern data-centric digital economy, as you know, the collection, processing, and sharing of personal data plays a central role, and data flows are a foundation of international digital trade. And despite the increasing relevance of this topic, it’s not yet possible to achieve an international consensus to comprehensively tackle these diverse aspects of digital trade at the multilateral level. As a result, it has become more common to find digital trade provisions incorporated in new FTAs, resulting in what is often described as a spaghetti bowl on regulation in the digital trade sphere. Privacy and data protection concerns have gained increased prominence in negotiations, but the intricacies of data governance make the landscape quite complex. What further complicates matters is that the three major global players, the United States, the European Union, and China adopt distinct approaches to data governance. It was mentioned before by other speakers. That is very clear. The U.S. takes a sectoral approach, allowing businesses to set rules and regulate privacy. The European Union strictly safeguards personal data under fundamental rights law and through comprehensive domestic regulations. And the approach offers, this approach offers a robust personal data protection and is not open for negotiation. On the other hand, China has implemented strict regulations for personal data protections, aiming to boost its data-driven economy and internal security. Well, the Asia-Pacific countries have adopted some of the most advanced agreements focused on digital trade, such as the U.S.-Japan Digital Trade Agreement, the Singapore-Australia Digital Economy Agreement, the SADEA, and the Digital Economy Partnership Agreement, the DIP. But it’s also important to keep in mind that, for example, the CPTPP contains an e-commerce chapter that applies to measures that affect trade by electronic means, a concept not defined, including provisions on personal information protection and cross-border transfer of information by electronic means, among other issues. Well, DIPA was signed in 2020 among Chile, New Zealand, and Singapore, and is one of the first comprehensive international agreements on digital commerce. And during the negotiation process of these agreements, parties constantly refer to their intention to delineate an adequate framework for the progressive, available, and safe implementation of emerging technologies, including the governance of certain activities that underpin these technologies, such as cross-border data transfers. Nonetheless, many DIPA provisions refer to non-binding commitments, starting points, or preliminary roadmaps for future collaboration. In this sense, DIPA has been specially conceived and designed as a pathfinder to influence and contribute to multilateral trade negotiations on digital trade by means of its flexible language and modular structure. It’s to be noted also that DIPA parties envision this instrument as a model for possible WTO e-commerce initiatives, as well as digital economy efforts within the EIBIT Forum and other international bodies. But what are the questions? The main question that this report is trying to solve and address is that in this scenario, the question arises whether DIPA, one of the pioneering comprehensive international agreements on digital trade, could be considered a pathfinder in shaping global rules for cross-border data flows. DIPA is frequently considered an innovative FTA, especially in terms of its adaptable design and modular approach. And in this sense, new parties can determine the extent of their commitment without being bound to fully embrace the entirety of this agreement, of its provisions. Well, the elements that we keep in mind when developing this report, these studies, these researches, is that the purpose of these studies was to analyze how the DIPA approach can shape and guide future negotiation and international governance rules on cross-border data flows and to determine whether DIPA provisions constrain governments from adopting their own standards on personal data transfers, identifying the possible added value of DIPA provisions. When examining, taking into rules concerning data flows governance, DIPA closely aligns with the approach championed by the United States during the TPP negotiation, and that were the basis of the CPTPP agreement. Even though the United States is not a participant in the CPTPP, well, the provisions draw heavily from the TPP, where the U.S. played a significant role in shaping the negotiation process. This similarity might be attributed to the brief negotiation period for DIPA. It took just some months, which inevitably required drawing heavily on existing agreements. For future accession process, this factor, to replicate the format of the language contained in older agreements, especially the TPP, the CPTPP, is problematic. Countries that are not signatories to the CPTPP may have reservations about adopting these provisions for many reasons, political, economic, and social. This circumstance could affect the possibility for certain countries seeking to join DIPA to accept all its models. It should be noted that DIPA provisions related to governance of data flows contained in Article 4.3 affirm the parties’ previous levels of commitment contained in older agreements. This is crucial. This is very important. And among other effects, this will imply a reference to the commitments made by the three original signatories to DIPA in the CPTPP, to which they are also partners. Regarding our main findings in this research, we can see that the DIPA rules governing cross-border data flows take verbatim CPTPP cross-border transfer of information provision, also affirming parties’ previous levels of commitment contained in older agreements. As highlighted in our report, this situation can pose significant challenges. Questions arise about which prior agreements will set parties’ level of commitments relating to cross-border transfers, especially when there may exist inconsistent or contradictory rules at this stage. The complexity becomes more accentuated when considering countries that are not part of the CPTPP. And this factor could affect the chances of new DIPA parties embracing all these models. Despite DIPA personal information protection provisions contained in Article 4.2 being more detailed than the CPTPP text, they fail to set the minimum standards. And furthermore, DIPA strongly promotes interoperability through the adoption of mutual recognition of voluntary self-regulatory approaches, which could be considered in some way equivalent to the implementation of comprehensive or sectoral privacy or data protection rules. And this in some way affects heavily the impact, the added value of DIPA in terms of protecting consumers’ rights, users’ rights in digital environments. It’s difficult to claim that DIPA could be considered a trailblazer for future cross-border data flow relations. However, two issues deserve our attention. The first is that because of its modular approach and uncompromising wording, DIPA is an agreement that arouse growing interest worldwide. Even not just in the Asia-Pacific region, you can see that this is generating some interest even in Europe. The United Kingdom expressed some interest in being part of DIPA. The second is that even if no concrete commitments are made regarding data flows, this does not mean that DIPA declarations cannot have any legal relevance. On the contrary, different legal effects could derive from these declarations, especially as more countries join the agreement. In this context, it’s important to consider that this treaty is inserted in a broader context intertwined with other trade agreements in which DIPA parties are engaged. And a statement made into DIPA could be considered an international dispute settlement, for example, even when the dispute does not emanate directly from DIPA’s specific provisions. Moreover, these statements could play a significant role in resolving disputes arising from breaches of other commitments made within DIPA that are not excluded from the dispute settlement model when the crux of the matter pertains not to correct interpretation or application, for example, Article 4.3. It’s worth noting that while dispute settlement models do not extend to Article 4.3, the cross-border transfer of information by electronic means, it is indeed applicable to Article 4.2, protection of personal information, which, for example, states in paragraph 10 that the parties shall endeavour to mutually recognise the other party’s data protection trust marks as a valid mechanism to facilitate cross-border information transfer while protecting personal information. This is a connection, for example, you can consider the previous presentation of the previous speaker regarding the APEC system, CBPR system that is based in this trust mark with this self-certification scheme model. To sum up, regarding cross-border data flows, DIPA does not forge a new path but rather follows the trajectory set by the US. This circumstance has a decisive impact on the added value offered by DIPA, by this digital trade agreement. If we consider that DIPA has been specially conceived and designed as a pathfinder to influence and contribute to multilateral trade negotiations on digital trade, it’s not difficult to imagine that a broad accession or replication of these terms and provisions could end up producing a de facto demonisation under the US data governance model. Thank you very much for your attention. Well, if you want to see, to check the full report, you can find it in the Digital Trade Alliance website. I’m going to copy in the chat section of Zoom to complete the link to this report. And, well, if you have any kind of questions, please, you can see there my email address. And, well, I’m open to any kind of question or comments. Thank you very much.

Javier Ruiz Diaz:
Thanks, Pablo, for such a comprehensive overview. So, we have first looked at a system of certification, a system where countries agree that companies can get private certification and that certification can be used to send data across borders. That’s one of the models that we have. The next model we have is a modular trade agreement, but it’s not really a trade agreement. It’s like a collection of individual commitments where countries can pick and mix and make their own combination. But, as we’ve seen from the research, there are some questions as to how that modular approach works in the sense that some of those partial commitments apparently could involve buying wholesale the previous regulatory regimes of the founding members of the DEPA, which brings us back to the fact that those are in CPTPP, in the Trans-Pacific Partnership Agreement, and so they may not be actually that new. So, that is the discussion. Next, we are going to look at the third model. We are going to look at it coming from this region. It’s something that is quite different. It’s the Indo-Pacific Framework for Prosperity, which is a new kind of agreement that is not just a new type of trade agreement. It’s not even technically a trade agreement. We are going to hear a presentation online from NAN, from Engage Media, which is a civil society organization very active in this whole area, in this region. So, NAN, could we check? Do you have access to the Zoom? Yes. Can you see my slide? Yes, we can see the slides. We can hear you loud and clear. Thank you.

NAN:
Perfect. Thank you very much for having me. My name is NAN. I’m a digital rights project coordinator at Engage Media. We advocate for digital rights and digital safety. in South and Southeast Asia. So today I’d like to talk a little bit about the IPATH. So thank you for the introduction there. Engage Media is part also of the Digital Trade Alliance. So when it comes to IPATH, or Indo-Pacific Economic Framework for Prosperity, this not-so-much trade agreement involves 14 countries, mainly the U.S., India, some countries in Oceania, including Japan and East Asia as well, and a lot of countries in Southeast Asia. And what’s very interesting about this treaty is that the U.S. government shares all chapters and controls the text of the IPATH. It began a few years back, and it’s expected to conclude by November 2023. Unlike other FTAs, the IPATH will not offer market access and GSP privileges. There are four pillars to this free trade agreement, and the digital trade chapter is not publicly available, and negotiation is exclusive and secretive. This also includes an enforcement mechanism, although the U.S. will have the ability to conduct inquiries against any violations. Review of public comments processes in Australia and the U.S. and media statements of big tech companies have raised a lot of issues by big tech companies. The issues that were raised are limit measures that restrict cross-border data flows and, secondly, prevent disclosure of source code and algorithms, and, thirdly, remove any requirements for establishment of local offices and local representatives. The U.S., Mexico, Canada FTA, or hereby in the U.S. MCA, is explicitly cited as a baseline for commitments in the IPATH. Now, in IPATH, corporate interests dominate the U.S. trade advisory system. Eighty-four percent of U.S. trade advisors represent business interests. Sixty-nine percent of those advisors represent large corporations and their trade associations. And, as you can see, extensive lobbying by big tech companies are involved, and the provisions in the IPATH are very big tech friendly. U.S. trade representatives have solicited advice of big tech. We have evidence on that, on the digital trade provisions. And should comparable proposals in the digital trade within the trade pillar resemble those found in the U.S. MCA, there could be significance on the digital rights in terms of transparency, accountability, and the ability to ensure that technology is used in a way that respects digital rights. So some of the issues that I’d like to focus on is, first, if IPATH leveraged the model of the U.S. MCA, it will have enforceable cross-data flows requirements, generic measures such as that of Thailand’s Personal Data Protection Act. A local law will almost certainly fall foul with the U.S. MCA’s style of free flow data provisions. Domestic measures aim at enhancing privacy and security of data, as well as providing regulatory access to data could therefore be affected by this IPATH provision. Restrictions on cross-border transfer can be used to protect the privacy, of course, and ensuring access to enforcement mechanism, particularly the EU’s GDPR and numerous jurisdictions that implement specific measures on pertaining to health, telecom, and mapping or financial data. It will also enhance administrative efficiency and improve domestic law enforcement and promote economic and strategy purposes, meaning domestic capacity and cost storage, taxation, etc. So the implications of this provision will make it difficult to introduce any domestic measures to restrict cross-border data transfer. It will narrow the scope of exceptions. Necessity and proportionality requirements are very high bars to meet in IPATH, and so the requirements for pre-transfer consent could be very hard to be met. In the ultimate analysis, such provisions help data flow to countries with poor data protection standards, for example, the U.S. And while the debate surrounding restrictions on cross-border data flow is ongoing, because while it facilitates states to carry out certain elements of regulatory work, data localization will also impose barriers on firms for big data and cloud computing in decision-making and lower the efficiency of their operations. So there are valid concerns and arguments on both sides. The next issue that IPATH will likely raise is the establishment of safeguards against forced source code disclosure as a condition to market access. Countries in Southeast Asia and South Asia as well are still developing regulatory responses to the use of algorithms. For example, Indonesia is now ongoing with its AI ethics policy. One tool of regulation is ensuring greater transparency and accountability over how algorithms and software in general work. With this provision, it will restrict various tools available to a state to promote competition and fairness in the digital economy. Preventing such disclosure in the future may lead to algorithmic discrimination in areas like employment policies, insurance policies, or search engine rankings, which will have an effect on the competitiveness of smaller businesses in the global South. Comparatively, the RCEP does not contain an analogous clause, and the CPTPP prohibition on disclosure only applies to source code and not on algorithms. It does not require an investigation to have been initiated or recognize that a party may require a modification, but in IPATH, it will. And so this is a trajectory of a stricter deregulation of disclosure. And I’m quite sure that everyone is aware of the danger of algorithm non-disclosure. Of course, it will limit the ability for independent ex-ante verification of how a software product works. It can be essential to ensure that software-based products and services function as they are meant to do and limit the risk arising from the use of software, as well as limiting the black box issue with AI. And secrecy goes against the developing regulatory consensus on the use of AI tools. Explainability, robustness, security, and safety are key design principles put forward by the OECD AI Policy Observatory. A number of proposed laws seek to ensure pre-deployment verification of software and AI, for example, the American Data Privacy and Protection Act, which requires to conduct AI impact assessment, including design of algorithms. In USMCA, the provision has certain general exceptions, but ultimately it implies that source code and algorithms contained in software products cannot be accessed by a regulator until an inquiry has been initiated into an identified malpractice. And that’s very, it’s a slippery slope. It’s also worth noting that the RCEP does not contain, again, the analog clause restricting the disclosure, while Article 14.17 of CPTPP applies only to, again, source code and not algorithm, but also it does not specifically limit access to a source code to instance where an investigation has been initiated. So limiting the ability of parties who require changes to algorithm and source code that could be found to be biased and otherwise harm individuals is something that will likely happen should this provision be included in IPEF. The non-disclosure could also hinder the trajectory of AI regulation at the regional level and also at national level. And I’d like to also point out that here’s me participating in the IPEF negotiating rounds. So as I mentioned, the negotiations are completely confidential. However, we do provide stakeholder listening sessions to which I was a part of in the fifth round of negotiations in Bangkok. And I have raised multiple concerns regarding the violation of digital rights should IPEF take the North American trade agreement model and the codification of it. And I just like to share that after I shared my intervention at the stakeholder listening session, a U.S. trade representative from the embassy actually reached out. However, in that intervention, I specifically targeted the Thai trade representatives because it was quite clear to us that Southeast Asian nations or signatories to this trade agreement is not gaining much but are losing more. And so I was targeting the Thai trade reps in particular on the digital rights issues. And yeah, to wrap up, the codification of USMCA-like provisions will limit the regulatory options available to the signatories to implement public or consumer interest regulation over the digital ecosystem. The free flow of data classes poses a limit. The ability of countries to implement localization norms and the inclusion of such classes would allow for the continual flow of data to the U.S. where it would be subject to relatively lower standard of data protection norms. Additionally, provisions restricting access to source code and algorithm will limit the ability of regulators and independent entities to scrutinize and conduct external assessment or audit on the software products prior to their deployment. This has many challenges, as I mentioned before. In particular, the gig economy also and labor issues. And limiting the ability to properly audit AI system is premature, so it could in the future limit attempts at ensuring safety and security and fairness of AI tools, which is something that I’d like to highlight here. And closing remarks is the FDA provisions that seek to preemptively limit the ability for states and regulators to implement public interest or consumer interest regulation in this digital space is something that we need to push back. And regulatory frameworks concerning the digital ecosystem are still in the nascent state in many Southeast Asian countries.

Javier Ruiz Diaz:
And with technology being rapidly changing, putting these stipulations and provisions in the FDA will restrict certification. If it’s very hard to get a European Union decision, let’s go for certification. So these models are really becoming global. They are going way beyond the region. But now, if we don’t have any more questions, we are going to move into the next part of the discussion, which is to try to… So we’ve mapped the kind of regional initiatives. Now what we want to do, we are going to do a little tour of the region, where we are going to get representatives from consumer and digital rights groups to give us a little context of what are the more pressing issues, so we can see how these regulations will basically touch the reality on the ground in some of the key countries. We don’t have people from all the countries, so don’t feel if you are from a country in the region there is no one here. It’s not by design, it’s probably because we couldn’t find, but of course feel free later on to speak. And I think the idea is that we want this to be participatory and to get your input. And the same thing for our colleagues online. If you want to raise any questions, please put it in the chat, and then we will get someone to read it out for you here in the room. So we are going to start with Japan, and I’m going to give the floor to Amy Kato from Consumer Japan to start giving us an overview, and then we’ll continue with Korea, then Philippines, and then we are going to… Okay, we are being asked about having a break. Okay, so let’s do this thing. We are going to take a break because I think three hours, you know, I can see that no one is as committed to the cause here to sit for three hours, you know. So we’ll take, should we take, being realistic, should we say we’ll reconvene at quarter past, and hopefully, you know, we know who you are. If I see you out there later, you know, there’s not, and you didn’t come back, you know, I’m going to be like pointing at you. So we are going to take a little break, so you can grab some water, maybe go to the restrooms, and then we’ll reconvene at quarter past. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you.

Amy Kato

Speech speed

175 words per minute

Speech length

13 words

Speech time

4 secs

Jam Jacob

Speech speed

132 words per minute

Speech length

2445 words

Speech time

1111 secs

Javier Ruiz Diaz

Speech speed

158 words per minute

Speech length

1530 words

Speech time

580 secs

Minako Morita-Jaeger

Speech speed

124 words per minute

Speech length

1642 words

Speech time

794 secs

NAN

Speech speed

122 words per minute

Speech length

1693 words

Speech time

831 secs

Pablo Trigo Kramchak

Speech speed

130 words per minute

Speech length

1783 words

Speech time

825 secs

Paula Martins

Speech speed

152 words per minute

Speech length

367 words

Speech time

145 secs