A universal data protection framework? How to make it work?

Event report

[Read more session reports and updates from the 14th Internet Governance Forum]

Convention 108 of the Council of Europe, is the only legally binding convention on data protection, noted Mr Péter Kimpián (Representative of the Data Protection Unit of the Council of Europe). He described adherence to the convention and its two objectives: to protect the rights of individuals and to allow the free flow of data, as the Internet increasingly becomes a critical infrastructure. He pointed out several challenges faced by the council in promoting the adoption of the convention, such as the lack of information and the difficulty to reach several interested stakeholders, such as countries in Asia.

The work that is being done within the Association of Southeast Asian Nations (ASEAN) community to create a data protection framework that establishes and guarantees safe data flows for an ever-increasing digital economy was highlighted by Mr Lih Shiun Goh (Public Policy and Government Relations). The data protection framework, agreed in 2016, aims to protect the data protection rights of subjects, while being business-friendly at the same time. One of the biggest challenges is implementing an international ASEAN framework when some of the ASEAN countries do not yet have a local data protection regime, so they require guidance and assistance before they can worry about a common framework.

Ms Jaewon Son (Representative of Korea Internet Governance Alliance) agreed, stating that when thinking of a universal data protection framework, we should think of developing countries first. She believes we should first raise awareness on the importance of data protection in developing countries, as well as helping them establish their own data protection legislation, before thinking of a universally accepted data protection framework. Developing countries do not lack human resources or funding, but guidance and consistency between courts and the legislative. Only after solving these problems will these countries be able to join this current discussion.

Participant questions and answers revolved around the specific function of each country’s data protection framework and how they should have mutual trust in cross-border data transfers. Discussions showed that most of the time, it is a very long and complicated process to come to a consensus, a conclusion, and eventually to a framework.

While universal data protection frameworks are important, Mr Charles Mok (Chair of the Internet Society Hong Kong) pointed out that there is concern about the distinctions among the data protection legislation of different countries. He raised the question of how to harmonise them. Mok discussed how cross-border data flows are complicated by old data protection legislation, and noted the human rights and cybersecurity issues revolving around allowing data to flow to ‘blacklisted’ countries.

That developing countries must not be pressured to adopt strict data protection legislation on a par with developed countries, rather on what is reasonable to implement locally, was emphasised by Ms Renata Avila (Human Rights & Tech Lawyer). She drew a parallel between the present and the 1990’s, when trade agreements containing strict copyright laws were pushed into Latin American countries as a requirement for trade, and such laws ended up suffocating local innovation, forcing them to direct resources to the repression of copyright violations. Avila described strong efforts among developing countries to adopt the General Data Protection Regulation (GDPR) as a standard, but she fears this is not adequate. She believes only countries with enough resources to implement the infrastructure required by the GDPR should do so.

The difficulty most people have in recognising the importance of data and how it is related to their rights, their property, and their identity was presented by Mr Jean Queralt (Founder and Manager of the IO Foundation). He also signalled the lack of control over the infrastructure, which allows large tech companies to abuse those rights without being noticed, as a way to grow bigger and acquire more control.

Participants discussed a wide range of subjects loosely related to the issue of how countries could design a universal data protection framework. Suggestions involved starting with regional consumer protection frameworks, strategic agreements, and industry standardisation. Some suggested the use of trade agreements to cover cross-border data flows. Others suggested the use of Convention 108 as a model.

By Pedro Vilela