[Read more session reports and live updates from the 13th Internet Governance Forum]
With the EU General Data Protection Regulation (GDPR) in force, this underscores the need for countries to pay attention to data protection. For many Commonwealth states, especially developing countries, there exists no, or inadequate, legislation to address data protection, highlighting the need for building capacities and raising awareness in this area.
The session, moderated by Mr Robert Hayman, Manager, Capacity Development and Training, Commonwealth Telecommunications Organisation, featured discussions on the impact of the GDPR on Commonwealth member states, and the challenges they face in drafting and implementing data protection laws. Hayman introduced the session by referring to the recent Commonwealth Data Forum which took place in February 2018.
Mr Alain Kapper, Senior Policy Officer, Information Commissioner’s Office, United Kingdom of Great Britain and Northern Ireland, provided an overview of the GDPR and its impact on third countries outside the EU. The growth of data flows between Europe and the rest of the world brings new challenges, as highlighted by the invalidation of the Safe Harbor agreement between the EU and the US in 2015. Within the Commonwealth, The Common Threat Network has been established, with the support of the UK and Canada, to cooperate on data protection issues, and support member states which have not yet developed national data protection frameworks.
Ms Mona Al Achkar Jabbour, Head of Lebanese Information Technology Association LITA, Lebanon, argued that the harmonisation of legislation is a must in this field, since all states face the same challenges when it comes to data protection. Cooperation is needed in order to ensure interoperability of these emerging legal systems.
Ms Salanieta Tamanikaiwaimaro, Founder and Executive Director, Pasifika Nexus and President, South Pacific Computer Society, Republic of Fiji, indicated that Fiji has two articles on privacy and access to information in its national constitution, but no generic framework for data protection. Certain economic sectors in Fiji are subjected to specific legal instruments on data protection (banking, health, and aviation for instance), but it remains insufficient as shown by the recent scandal around the alleged duplication of a birth record for criminal purposes.
Ms Mary Uduma, Managing Director, Jaeno Digital Solutions, Nigeria, indicated that though the new cybersecurity law in Nigeria does not mention data protection, a number of initiatives have emerged on this topic. An expert group in the Senate has been established to advise lawmakers on the GDPR, and a partnership has been created with the EU. Uduma also mentioned repeatedly the lack of capacity and capabilities in Nigeria to deal with these emerging regulations.
Ms Theresa Swinehart, Senior Vice President, Multistakeholder Strategy and Strategic Initiatives, ICANN, provided the perspective of ICANN on the impact of GDPR on its activities. She said that the GDPR is a well-intended legislation, but with unintended consequences once applied to the technological environment. The applicability of the WHOIS system to the GDPR has been a crucial issue for ICANN, and led, after an iterative process with the community, to the Temporary Specification published in May 2018.
Ms Elena Plexida, Government and IGOs Engagement Senior Director, ICANN, argued that this instance demonstrates the need for the technical community to be more involved in the drafting of such essential legislation.
By Clément Perarnaud