[Read more session reports and updates from the 14th Internet Governance Forum]
It is a common understanding that different countries must adopt legal frameworks for data protection, but different levels of implementation are available. This session analysed some of the privacy norms around the world from the perspective of national and regional IGF initiatives. The session took a trip around the world discussing privacy practices and data protection, starting with Panama, where personal data protection and privacy are practically non-existent.
According to Mr Abdías Zambrano (Panama IGF), very few telecommunication and telephone companies even publish a data protection policy so that customers can know their rights. The concept of a transparency report is also fairly new. Nobody notifies users when they receive a request to access user data. However, a good practice that companies have is the use of HTTPS protocol to avoid information breaches through attacks or even robberies. Some companies in Panama use guidelines produced by the authorities for requesting personal information.
The USA does not have a comprehensive federal privacy or data protection law noted Mr Dustin Loup (IGF-USA); instead they have a variety of sector-specific laws that cover healthcare or financial data, and other specific protection for children, amidst a growing patchwork of state laws. In addition all fifty states plus the District of Columbia and several territories have their own data breach notification laws. Their goals are aligned, but they are not completely compatible and sometimes the assortment of regulations creates confusion for companies seeking compliance. Many US companies have to be aware of the GDPR, because they serve customers in Europe, so the confusion is heightened. Hence, opinion favours establishing a federal baseline privacy law. ‘Right now, we kind of have a little bit more harm's based approach than a right's based approach that you will see in places like Europe. It is yet to be seen how that will be incorporated into a federal baseline privacy law. But we are at least at a point where we can agree that the majority of people want one’, said Loup.
In Nigeria, the contribution of ICT to gross domestic production is about 10.8%. Many breaches occur in the handling of citizen data, according to Mr Jimson Olufuye (Nigeria IGF/West African IGF). For data protection, the national IT development agency of Nigeria was given a mandate to devise a standards and regulations framework guiding the ICT industry. This was the first of its kind and it differentiates between a data controller, data owners, and data subjects. For violations, for anyone processing about 10 000 data subjects, a penalty of 2% of the gross income is applied as a fine as part of the new guidelines.
Brazil’s new data protection law is very much inspired by the GDPR in Europe, and due to be enforced in August 2020. However, Mr Thiago Tavares (IGF Brazil) said challenges remain in applying the law without a data protection authority in place. In a public statement made last week before the IGF, the Brazilian steering committee affirmed the authority and free implementation of strong end-to-end encryption and the exercise of rights under the federal constitution and subsequent laws, including the new data protection law.
Mr Sébastien Bachelet (IGF France) stated that in France, privacy and data protection are rights protected by an act of 1978 on information technology. A general mission informs individuals of their rights under a French data protection act, protecting the right of citizens. The GDPR has introduced new mechanisms in the field of data protection that makes it possible to sue for data breaches, such as that which occurred in January 2019 against Google. But one of the important challenges is to qualify harm related to the violation of data protection rights.
Brazil is currently debating amending its constitution to include data protection as a fundamental right. This discussion has potential to enlighten citizens about privacy. A national standard that aligns with a global standard will serve well. So far, in the absence of a global privacy standard, the GDPR has been globally considered as a point of reference. The 2009 Madrid Declaration of the International Conference on Data Protection and Privacy Commission is also interesting in this regard because it reflects a more global perspective. It was not only deliberated by member countries of the Council of Europe, but by all the authorities taking part in the global privacy assembly.
By Mili Semlani