A meaningful standard for necessary scope of PI processing

10 Dec 2021 12:50h - 14:20h

Session page

Event report

The session looked at the necessary scope of personal information collection and processing, and what can be done on establishing a global standard on handling personal data.  Mr Qi Xiaoxia (Director General, International Cooperation Bureau, The Cyberspace Administration of China) said that the year 2021 was important for China, as the state has issued several regulations regarding digital policy issues. This included the ‘Law on Data Security’ and China’s Personal Information Protection Law (PIPL). The experience from the EUs GDPR legislation was used, and a process was conducted in a multiskateholder manner. The policy framework was developed in an open and exclusive process, Xiaoxia added. The pandemic presented the need for united work, and tackling issues globally with the joined policy action. China will continuously help efforts to establish a fair and open, international digital policy frameworks. Mr Xiaodong Lee (CEO of Fuxi Institution, Director, Center for Internet Governance, Tsinghua University) also recognised the Internet Governance Forum as a very important governance platform under the UN framework. In June 2020, China reached the 1 billion netizens mark, with internet penetration measured close to 72%. Development of digital services and applications become the main business model for the whole industry, said Mr Li Yuxiao (Vice President of Chinese Academy of Cyberspace Studies) in his overview of the current situation of PI protection in China. However, some applications went beyond the scope of reasonable data collection. In addition to excessive collecting, another related threat is data leakage. Data leakages are mentioned as a cause in 30% of cybersecurity incidents, Yuxiao added. China will continue to be devoted to the proper PI protection on a local level, while working in a spirit of international cooperation to help deliver more universal policy solutions globally.  Regarding the state of AI development in China, he mentioned that new AI infrastructure also needs constant data collection in order to advance from weak to strong AI which could run our future cities. This, of course, exponentially increases the chance for data misuse. Having in mind that AI tech is rapidly evolving, policies toward AI regulations need to be continuously updated. China also issued a national AI strategy and a ‘code of conduct’ for the industry. Yuxiao mentioned China’s work on the AI principles adopted by UNESCO as a first global regulatory framework, and invited all stakeholders to work on a trustworthy set of international rules and mechanisms for AI and PI protection. ‘We hope that IGF will play a significant role in guiding stakeholders to join this significant discussion’, Yuxiao concluded.  Mr Jovan Kurbalija  (Executive director of Diplo) highlighted three major tendencies from the international Geneva scene. The first one is ‘data self-determination’, Kurbalija said. A notion that citizens should be in full control of their data, as a precondition to economic development with a full support for human rights and human dignity. This would ensure a human-centred approach to the solution of data handling. Second important question in discussing data management is the question of data interoperability. The right to use the platform of one’s choice should be enabled to all internet users. This should also be the main industry focus for device standards. The third tendency is related to the ethical AI development and use of data. Recommendations for the ethical AI development needs to be on the international agenda as soon as possible. ‘The main question is’, Kurbalija continued, ‘how are we going to preserve our cultural heritage and pass it on to future generations?’. The UN Secretary General, in his agenda, invited nations to enact a new social contract for the digital age. The one with the clear standpoint on expectations from the digital and AI developments. We need to think precautionary, and think a few steps ahead, if we are to leave the same world after us.   In the case of Brazil, an introduction of the general data protection law had a harmonising effect on previously scattered privacy policies and partial regulatory solutions. As Mr Luca Belli (Professor, Center for Technology and Society at Fundação Getulio Vargas (FGV)) pointed out, Brazilian data Protection Law is following similar patterns as the EU’s GDPR, or recently adopted China’s Personal Information Protection Law. During the lengthy process of enacting a law into enforcement, overseeing institutions were created and an important constitutional change took place. Four months ago, the Brazilian Congress added data protection as a new fundamental right, under the Article V of the Brazilian Constitution. Belli explained that legal interoperability, particularly in the BRICS group of countries, will be a crucial next step. He also called for further work on regulatory convergence between BRICS countries. This might lead to the adoption of BRICS legal frameworks, and increase cooperation on this pentalateral level.   Data security and PI protection is gaining more importance in relation to economic development. In the words of Mr Lee, the digital economy has become the engine keeping the real economy afloat after being struck by the pandemic. Digital economy now adds to 16% of economies in developing countries like Germany, UK, or USA. In China, this number is higher and it is reaching 40% of the total economy. Mishandling data deteriorated trust between users and platforms. Therefore many countries have stressed regulation and supervision of data security as a decisive factor. Lee added that, different from the EU approach, which puts data in the hands of individuals, or the US approach which prioritises business opportunities, China’s policy framework formally established data as a factor of production.       All experience from the national policy approaches should be discussed, shared, and exchanged in a spirit of mutual respect and understanding.  Data needs to flow in order to maximise its value. Tempering the free flow of data can affect the productivity of the global digital economy and, eventually, raise the price of connectivity. Therefore, the importance of a coordinated response is even higher, Lee said. Since national legislations are specific and developed in a narrower focus, it is at least necessary to agree on a minimum set of rules acceptable by the majority of countries. Lee called the workshop participants to help this effort. Ms Xiuyun Ding (China Federation of Internet Societies) informed on the full cooperation of all internet societies in China and a mutual work towards common goals. She asked for the faster introduction of the relevant standards for the personal information collection, and the processing of those data for AI use. The search for an equitable system for global governance should not stop or slow down. A more transparent relationship between the Internet platforms and the end users must be established, Ding added. She also called on companies to establish, or improve, the industry codes of practice, as well as self-discipline mechanisms for personal information protection.  Since it utilises a massive amount of data, further development of AI will multiply risks for all forms of data mishandling. Safety protection of AI products should be the industry focus. Production vise, there is a need for urgent development of systematic assessment and testing. This could also serve as a promotion of AI safety to the general public. Transparent AI monitoring system is needed, followed by a fully transparent overview of the AI algorithm design, development of AI products, and the outcomes. International dialogues to create the AI ethical rules and frameworks should be the primary goal for all governments. The three steps to come closer to reaching that goal might be: deepening the research on AI ethics to provide societal guidance, building development environments to strengthen the laws, and increasing the penalties for data mishandling in order to create competitive industry and regulation around it.  The session also provided an overview of the new risks AI pose to privacy such as model inversion, data poisoning, or training-data manipulation.We can also foresee the risks that are almost imminent, and need current attention. In particular, AI-centric decision-making, as well as weapons powered by AI.  The workshop called on all stakeholders to strengthen their responsibilities, and enhance further mutual communication and cooperation. By Arvin Kamberi 

Session in numbers and graphs

Most frequent noun chunksMost frequent names and entitiesWordcloudProminent verbs with adverbs

Automated summary

Diplo’s AI Lab experiments with automated summaries generated from the IGF sessions. They will complement our traditional reporting. Please let us know if you would like to learn more about this experiment at ai@diplomacy.edu. The automated summary of this session can be found at this link.