The session was opened by Ambassador Young-moo Kim, Permanent Mission of the Republic of Korea. Kim called attention to the importance of privacy for fostering consumer trust. He provided an overview of the session, which would be divided into three parts: a) setting the stage: what are the main concerns with regards to data protection; b) cases: how data protection is being addressing in certain countries; c) new tools to protect data.
Ms Cécile Barayre, Economic Affairs Officer, ICT Analysis Section, UNCTAD, highlighted elements of a study published by UNCTAD on data protection regulations and international data flows. New technological developments, such as the Internet of Things (IoT) and the growth of e-commerce, make the discussion of privacy urgent. Harmonisation of regulation is necessary and laws on data protection and cybercrime are complementary. According to the study, 67% of countries have laws on cybercrime and 58% on data protection. However, there is global disparity and Africa still lags behind when it comes to regulation.
The lack of legal compatibility is also an issue to be tackled. There is no one global regime, but there are regional regimes that could facilitate harmonisation. Convention 108 from the Council Europe, which is open for signatures of non-European countries, constitutes a good base for co-operation.
Prof. Ian Walden, Queen Mary University of London, highlighted that although privacy and data protection are similar, they are not the same. What distinguishes data protection is the regulatory nature of the law, and this is different from privacy, which is usually a principle in the constitution. Data protection is about creating a regulatory framework. Moreover, for data protection to exist as a regime, it is necessary to create a regulatory authority, independent from governments, and with sufficient resources. This creates problems for developing countries that may have financial and technical constraints to create such an organisation. Walden also remarked that data protection can, in some situations, also be a barrier to trade – in the WTO regime, member countries can constrain the flow of cross-border data for data protection reasons.
Mr Kibyoung Kim, Director of the Global e-government division, Ministry of the Interior of the Republic of Korea, explained the status of regulation in his country. He also discussed methods to utilise the data while guaranteeing the protection of personal data. An analysis to assess the adequacy of de-identification could be put into place in order to check whether the data has been successfully de-identified and could not be re-identified.
Mr Oliver Hateley, Senior Adviser, EMOTA, explained that the current EU data protection framework consists of two instruments: the Data Protection Directive from 1995, and the ePrivacy Directive that focuses on e-communications and markets. The Data Protection Directive aims to safeguard personal data while guaranteeing the free flow of data among member states. It establishes criteria for issues such as consent, state of purpose (data should be collected with a clear purpose and should not be used for different purposes), and the right of the individual to access and correct personal information.
This data protection instrument was adopted as a directive, not a regulation. Directives set goals and leave member countries to implement these goals according to their national systems. This has led to inconsistencies that have impacted the trust and confidence of individuals. Moreover, there was no real enforcement mechanism for international processing.
Hateley provided some advice for developing countries discussing their nationals laws: a) avoid a prohibition model. Data is the currency of data economy; b) avoid a prescriptive approach. It is better to adopt principles because data and technology evolve too fast; c) ensure there is no regional fragmentation.
Mr David Satola, Lead ICT Counsel, World Bank, mentioned that there are very robust principles on data protection that still form the base of good practices and the development of national laws, such as the OECD and CoE principles. He presented the Cybercrime Toolkit Assessment, focusing on the section of safeguards about data protection and the right to communication.
Prof. Fen Osler Hampson, Carleton University, Distinguished Fellow and Director of Global Security and Politics at the Centre for International Governance Innovation, finished the discussion by reminding the audience that data protection is not only important from a human rights standpoint, but it is also good for business. Successive data breaches lead to a loss of trust. This is an issue that should tackled by governments and companies together.