[Read more session reports and updates from the 14th Internet Governance Forum]
Privacy and information protection in the Asia Pacific region
The Asia-Pacific region has 4.2 billion people and 2.27 billion Internet users, a very specific and heterogeneous area of the world. The workshop focused on personal information protection in the region in the current context, by reflecting on existing data protection regulations in the EU, USA, and other regions.
The context of China was presented in the work of the Cybersecurity Association of China (CACIC) by Mr Li Yuxiao (Secretary-General, CACIC). Some of their good practices include cybersecurity tours in various areas of China, to raise public awareness about data protection. In June 2019, China launched the Data Protection Regulatory Guideline, effectively setting personal data protection standards in China, while a new regulation, which will focus more on privacy protection mechanisms is being drafted. On the other hand, Yuxiao showed concern about the lack of adequate international mechanisms and proposed to define individual roles and responsibilities of these mechanisms. For example, under the GDPR, EU citizens are protected, whereas Asia-Pacific users are not. He also stated that communication channels need to be established between governments and the public in order to define roles and responsibility in data protection processes.
The issues of tackling the topic of data protection only from the viewpoint of privacy was explained by Mr Duncan Macintosh (Asia-Pacific Network Information Centre [APNIC]), who noted that the efficient and secure operation of the Internet should not be hampered by restricting contact between network operators. The challenge is how to achieve effective implementation of good legislation to protect personal privacy, while allowing for the efficient operation of the Internet. The GDPR and national legislations add even more complexity. Macintosh mentioned the importance of the network operators and the technical community in general having a voice in forums such as the IGF, in order to align priorities for user privacy and technical requirements of the Internet’s infrastructure.
Prof. Wolfgang Kleinwachter (University of Aarhus and EuroDIG) divided the question of cybersecurity into three large areas: national cybersecurity, cybercrime and personal security, and data protection. In terms of national security, he reflected on existing international instruments, such as the UN Group of Governmental Experts (UN GGE), the Open Ended Working Group (OEWG), and multinational private sector actors. The UN General Assembly Third Committee only recently decided to start another intergovernmental working group to consider and investigate whether it would be good to have a universal instrument based on the Budapest Convention that would include all 193 member states. He also shared findings from the final report of the Global Commission of Stability in Cyberspace (GCSC), proposing eight norms for state and non-state actors. Regarding cybercrime, he spoke of issues of existing global frameworks, such as the limitations of the Budapest Convention, due to the fact that it was negotiated under a certain pressure to do something after the 9/11 attacks in the USA and many countries were not involved in the drafting, such as Brazil, India, and China.
In terms of data privacy, he brought attention to Germany, which had introduced the first data protection law in 1970, much before the Internet. His key message in the direction of a global consensus was to avoid fragmentation of the Internet, there needs to be a higher level of understanding and tolerance, more research, and increased dialogue to understand specific positions.
These views were supported in theory by Mr Henry Gao (Associate Professor of Law, Singapore Management University), who presented three different world dynamics in relation to data legislation perspectives. He identified them as profit, policy, and power; where three different dominant jurisdictions systems are visible in the USA, the EU, and China. The USA does not have a comprehensive privacy protection framework, and privacy is seen only as a consumer right. In the EU, on the other hand, the GDPR has elevated privacy from a consumer right to a fundamental human right, extending outside of the EU through trade agreements that are binded by the GDPR. National security laws of China, on the other hand, explicitly require all Chinese nationals and organisations to help protect national security, meaning government and law enforcement access to all data when requested. Mr Li Yuxiao drew attention to recent measurements China has taken to privacy protection and regulation, which provide a focus also consumer and personal information protection.
Mr Ajay Data (Founder & CEO of Data XGen) joined remotely to give an overview of data privacy in in India, creating legal frameworks that did not exist until 2017. He shared that the top court in India, the Supreme Court has decided that privacy is a fundamental right of every citizen. He shared concerns over how more regulation and public awareness is needed on the impact of data privacy issues. For example, the Indian parliament is currently discussing a recent hack, through spyware which was embedded into the Whatsapp chat application and infected high profile people’s accounts to steal data. Focusing on a technical perspective, he spoke of the importance of data protection through technical products such as Data XGen, that focus on implementing a permission framework whenever information is being exchanged between parties.
A general conclusion to the conversation was presented by Mr Jovan Kurbalija (Director, DiploFoundation). He noted that it is going to be an increasing challenge for governments, civil society, and businesses to reconcile economic, human rights, cultural, technical, and security perspectives on data in existing and future policies. In facing existing policy silos, there is a growing importance to genuinely try to learn the languages of other communities, because the issues discussed are the same, but they are viewed through different lenses.
By Darija Medić