Convention 108+ in the digital era

Event report

[Read more session reports and live updates from the 13th Internet Governance Forum]

While Convention 108+ is the modernised version of a landmark Council of Europe (CoE) instrument for protecting individuals with regard to the automatic processing of personal data, data protection and privacy have different interpretations across countries. The session provided a reminder that global privacy concerns did not start with the EU’s General Data Protection Regulation (GDPR), but do require strong, solid, flexible legal instruments to be governed appropriately.

Mr Steve DelBianco, President and CEO, NetChoice, made reference to President Macron’s inaugural speech at the 2018 IGF about the need for European citizens to have greater control of their data. DelBianco cited three categories of data protection and privacy that are applicable in the US:

• data breaches among companies and data privacy risks
• medical and financial data, with health records and mortgage applications as examples
• personal data used in targeted advertising on ‘free’ Internet services.

To demonstrate how lightly the last category was regulated in the US, DelBianco revealed that in a NetChoice survey of 1200 US adults, 42% of respondents were in favour of ad-supported ‘free’ Internet services; 29% in favour of ad-supported services if the ads were generalised, i.e. not targeted based on personal data; and only 16% were willing to pay for services that were currently ‘free’ in the interest of protecting their personal data. Concerning social media, 43% of the surveyed group stopped using a social media platform because they had lost interest in social media, while 28% found another platform to replace their initially preferred medium. DelBianco affirmed that the survey validated the relaxed attitudes US citizens had towards personal data, compared to European citizens. He further stated that 70% of respondents felt that digital advertising was beneficial to the US economy.

Mr Ayden Férdeline, Fellow, Mozilla Foundation, addressed personalised advertisements, positing that while targeted ads seemed innocuous at first sight, data used for such ads could be biased and include discriminatory criteria for consumers. He made reference to companies that used personalisation to avoid regulatory measures, and further opined that it was generally unfair that the regulatory burden to protect personal data was usually placed on consumers, as opposed to data collecting entities. Férdeline criticised the current practice of merely requesting consent from data subjects, and reminded participants in the session of the regulatory approach to seatbelts in the automotive industry in the 1960s and 70s, where manufactures were mandated to pre-install seatbelts in vehicles, as opposed to drivers having this responsibility. He reiterated that privacy could not be effectively protected unless the burden was placed on data collectors to act in the interest of consumers.

Mr Alex Comninos, Policy Researcher, Association for Progressive Communications (APC), gave a general overview of data protection and privacy regulation in Africa, to facilitate the identification of globally common issues. He pointed out that there are 18 African countries with data protection laws, and 15 countries currently developing such laws. Comparatively, countries with older laws were more compliant with older EU data directives, while those currently developing laws are addressing GDPR compliance. Comninos stated that cyber security measures often undermine data protection and privacy, because cyber security frameworks consider privacy and anonymity as a threat to robust cyber security. He identified a loophole in South African law for intercepting communications, where communications from non-South Africans, or those which cross borders, can be intercepted by the authorities. He pointed to the futility of this measure when South Africans use Google services hosted outside the country. Generally, Comninos felt that Africa needed more capacity to develop timely and effective data protection regimes. He also compared the operational budgets of data protection authorities in South Africa and Germany to demonstrate the stark resource challenges that South Africa faces to effectively regulate data protection and privacy.

By Kevon Swift