[Read more session reports and updates from the 14th Internet Governance Forum]
The discussion gave an overview of existing policies on the national and regional levels, considered their relevance for communities, and asked if it is possible to have internationally accepted standards for data protection. Proper data protection regulation is a lengthy process, but once an appropriate regulation is adopted, enforcement must follow. Some regions struggle with resources for implementation, while others struggle with the drafting of the law. International standards such as the Convention 108 of the Council of Europe (CoE) can provide good guidance for establishing national legislation.
From the perspective of the national and regional IGFs (NRIs), the question was: where do we stand today with data protection? Mr Eun Chang Choi (South Korea IGF) explained that data protection regulation in South Korea takes a serious stance: penalties can include imprisonment, depending on the violation. Choi said that companies respond to strict regulation, and would much rather pay a large fine than face imprisonment. Learning from history that a military state can attack human rights using data, strict regulation fits the South Korean national context. Mr Abdias Zambrano (Panama IGF) emphasised that most countries in Central America went through similar struggles to unify regulation on data protection, which was scattered across different laws. The context called for focus on fighting discrimination against sexual orientation, gender, race, and others. He noted that Costa Rica has had a regulation on data protection since 2011, but that Guatemala, Honduras, and El Salvador still lack it. In Panama, the main idea was not to centralise personal data legislation, but to supplement the existing legal framework. Stakeholders active in the drafting noted that support from civil society and the international are necessary to move the processes forward. Now, with legislation in place, authorities face a lack of infrastructural, economic, and human resources for implementation. This is shown by a recent leak of more than 3.5 million users’ data. A general lack of knowledge and awareness among the population is also a big problem. ‘People welcome the use of surveillance cameras, facial recognition, and other technologies for national security without knowing the consequences they bring', Zambrano warned.
From across the world, Ms Liljana Pecova Ilieska (North Macedonia IGF) focused on how to tackle data regulation when bordering the EU, but not being a member of it. For North Macedonia, the European General Data Protection Regulation (GDPR) is not formally mandatory, but in reality, it is, since there is a high volume of data transfers coming from neighbouring countries, such as Greece and Bulgaria, where the GDPR applies. A solution to this for now is using the CoE Convention 108 as an international standard.
What need is there for a globally accepted standard on data protection? Zambrano said that thinking globally, the Panama IGF discussed the need for a multi-sectional board and how to replicate examples of good practice coming from around the world, such as the GDPR. He highlighted that the Convention 108 is not applicable in Central America and that the region welcomes co-operation as well as international pressure on policymakers. Choi confirmed that the South Korean government expressed an interest in joining Convention 108. Illieska noted that in addition to international standards, others can learn from the GDPR. A good example is in North Macedonia, where Center for Internet, development and good governance (IMPETUS) helps companies develop standards that translate the GDPR into technical tools, helping them enforce the GDPR on a smaller scale. Participants also agreed on the need for financially independent data protection authorities.
By Jana Misic