IGF 2019 – Day 2 – Raum I – WS #211 Value and Regulation of Personal Data in the BRICS

The following are the outputs of the real-time captioning taken during the Fourteenth Annual Meeting of the Internet Governance Forum (IGF) in Berlin, Germany, from 25 to 29 November 2019. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the event, but should not be treated as an authoritative record. 

***

 

>> LUCA BELLI:  Good morning to everyone.  Thank you, not only for being here this late, but also to be so skillful to find this room, which is very well hidden in the second floor of the complex.

My name is Luca Belli.  I have the pleasure to have the cyber BRICS project that was at the origin of this submission of this workshop proposal that then became this workshop.  If you want to know more about what we do in the cyber BRICS project and how we analyze digital policies in the BRICS, so Brazil, Russia, India, China, and South Africa, I invite you to read cyberBRICS.info, and also in a couple of weeks we will have ready our book on mapping Cybersecurity in the BRICS, and it will be of course released in open access for you to use it, to read it and also to use it to do further research.

Let me provide you a couple of before introducing my distinguished panelists, let me provide a couple of useful pieces of information to understand what we have been doing, the basic assumption from which we started is that BRICS countries although they have been meeting for more than ten years, there is a desert of research with regard to digital policies, and the reason is twofold.  First of all, there is unfortunately things are changing now, it's harder commitment cooperation but with regard to policy research, there is still very few projects initiatives doing so in the BRICS area, hard sciences are developing cooperation much better, human science still has to catch up.

On the other hand, the digital policies of the BRICS have been really shaped over the past five or six years for the majority of them.  An example that illustrates very well why we have been thinking about this project is data regulation, the reason we have been organizing this workshop.  Over the past two or three years, all BRICS countries have either completely renewed, updated or elaborated new regulatory frameworks on data protection.  The landmark moment that can mark this transition is the shaman declaration in 2017 BRICS meeting.  After that all of them have started coincidentally to adopt or update their political and, sorry, the regulatory framework.  In Brazil there has been new data protection legislation adopted last year entering in force next year and a new data protection authority will be established.  Russia has updated their data protection act.  India has declared a new fundamental right to privacy in 2017, that has triggered elaboration of new data protection bill that is going to be discussed in the coming weeks.  China has adopted not only a Cybersecurity legislation, that tackles data protection, but also further specified it in the data security specifications, and also introduced a new right to data protection in the general norms for the new civil code.  And last but not least, of course, South Africa has created new data protection regulator a couple years ago that is now tasked with the duty to implement the privacy of personal information act.  A lot of things are happening, for a group of countries that includes 3.2 billion people, which is 42 percent of the world population, and where four out of five BRICS are in the top five of the countries which the most mobile Internet users, where the Internet of Things is already happening, a reality, where data, data is processed continuously and therefore, data protection frameworks are badly needed both to protect individuals' rights and of course also to guarantee stable foreseeable environment for businesses.

Having said that, I would like to introduce my distinguished panelists.  Starting in BRICS order of course, from Ambassador Achilles Zaular, who is director of technology and, science and technology department at the Brazilian Ministry of Foreign Affairs, Professor Andrey Shcherbovich from Higher School of Economics of Moscow, Anja Kovacs, director of the Internet democracy project India, Min Jiang from the, Professor at the University of Charlotte in the U.S., and sadly, Dirk Delmartino could not participate.  So we will have a BRICS panel hoping that in the room there are people from South Africa providing inputs.  Otherwise we will provide our opinion on South Africa.  Then of course, last but not least, Peter Kimpian, that works for the Council of Europe, an organization of which Russia is of course a member, that will also help us provide a broader perspective on and put this into, the idea that we will discuss into perspective with regard to the European context.

Without further ado I would like to ask to Ambassador Achilles Zaular to open the dance, presenting about the latest evolution in Brazil.

>> ACHILLES ZAULAR: Thank you, Professor Belli.  I would follow more or less the order of the questions that you mailed us before so that we can share the basic knowledge about the national policies of each of the countries, and then of course we will be ready to debate.

A quick background, Brazil has over 140 million Internet users.  It's the largest Internet market in Latin America and the fourth largest in the world, in the number of users, I think, after China, India and United States.  In August last year 2018, we approved the first comprehensive data protection law, called in Portuguese  (language other than English) General law for that data protection or LGPD.  So I will be using this LGPD to refer to it.  It's the data protection law.  In December last year, the former President of Brazil issued provisional measure, it's a kind of the force of law that has to be reviewed by congress which makes some amendments to the LGPD and the most importantly, it creates Brazil's first national data protection on this issue, especially in the last two years.  So in July, we had the final version of the data protection law.  It has some revisions.  To enter into force, the law is approved but there is a kind of grace period.  It went into force in August, 2020.  So nine months now.  Then starting August, the data protection authority will be responsible for overseeing the data protection regulation.

This leaves many organizations, many businesses, many companies, approximately, well, less than ten months to assess the impact of the law on the data processing activities and operations to devise and execute communication strategies and make changes relative to business processes, compliance infrastructures and IT systems.  That is a lot of work.  There is a whole business that has flourished around it and helping the companies to adapt themselves to requirements of the new law.

For many of these businesses and organizations and Government agencies, etcetera, there will be, this will be an opportunity to transform the approach to that protection and data management, and that to adapt it to put it in line with the digital, modern digital economy, and to use it as an opportunity to take part in the opportunities that the digital economy brings.  For the authority, the new authority, 2020 will be the first cycle of regulatory data protection, and enforcement power, and that intended to be also a learning experience for the authority, as it is for businesses, and also for the Brazilian judiciary.

So to ensure the effectiveness of the national authority, and bring the whole of the Brazilian economy into line with the realities of the digital world and now the legal requirements for data privacy.  You made a series of questions, Professor.  This is general introduction.  I may leave the answer to the particular questions to later.  What do you think?

>> LUCA BELLI: It's fine to have some points to discuss in the debates.  If you want, we can further discuss.

>> ACHILLES ZAULAR: That is the thing about the application to foreign entities, extraterritorial.

>> LUCA BELLI: If you want to start, short overview now.  Otherwise we can go (overlapping speakers)

>> ACHILLES ZAULAR: The law has both transversal and multi‑sectional application meaning that it applies both to the public and private sectors.  It applies online as it applies off‑line.  It also has extra territorial application, meaning that Web sites, companies, all organizations that process personal data from individuals in Brazil are bound to comply with the law, regardless of where in the world they are owned or operated from.  Article 3 defines that the LGPD applies to, one, data processing within the territory of Brazil, two, data processing of individuals that within the territory of Brazil regardless of where in the world the data processor is located, so if you are outside Brazil but you are processing data from Brazilians you have to comply with the law, or else, three, data processing of data collected in Brazil.  So that's pretty ambitious scope, but I think it's more or less in line with what is happening elsewhere.

There is also as we mentioned about India, also about the creation of a fundamental right, the LGPD defines a data subject as a natural person to whom the personal data that the object of processing refer, that is an individual whose data is being collected and or processed this is a data subject.  The LGPD empowers data subjects with nine rights, defined, please don't ask me exactly what the nine are, but I'm sure it defines what constitutes personal data, and we can check it here if somebody asks.  And creates ten legal basis for suing somebody.  It also puts the responsibility on organizations to appoint a data protection officer, DPO, who will interact with the national authority.

There are provisions for sensitive health data, and my last observation will be that many of the provisions and changes introduced in the law, the parallel to the European Union's GDPR requirements, including the rules about extra territorial scope, expanded individual rights, requirement to appoint a data protection officer, DPO, rules about risk and breach notification, rules around data transfers.  There are differences which we can discuss later.  But it is not inaccurate to say that the new law brings Brazil relatively close to the model of the European Union, there are a few differences, few technical issues that I'm sure the Professor who is visiting Brazil, you are Brazilian?  You have ‑‑

>> LUCA BELLI:  I have both Thai and Brazilian.

>> ACHILLES ZAULAR: Professor Belli understands better than I.  If there is a particular tough question I'll deflect it to you.

>> LUCA BELLI: Thank you very much.  Also, let me welcome the delegation from Brazil, telling them that if they want at any moment to chip into the discussion and provide thoughts or ask any questions, they are absolutely more than welcome to participate in the discussion.  Now proceeding in BRICS order, I would like to ask Andrey Shcherbovich to provide insight of what is happening in Russia.

>> ANDREY SHCHERBOVICH: Thank you, Professor Belli.  And first of all, I'd like to mention that this is my work which was completed during the CyberBRICS fellowship, Faculty of Law, at university, an opportunity to Cybersecurity and data protection conference in particular in my country, and I'd like to tell you some basic features about data protection legislation in Russian Federation.  First of all we have the law on personal data, which of course have the written basic reason to protect privacy of Russian citizens, but also have other functions for protection of so‑called public interests or like economic, social and political functions, and the basic reasons for this legislation is to provide a balance between ensuring privacy and ensuring other interests of public nature.  But this is the major feature of Russian legislation, that it always care about public interest.

First of all, I'd like to know the rules of processing, and how to process personal data.  First of all, we need the informed consent for transfer of personal data, this consent should be in written form, observed in written form in all cases and all occasions, you need to write down the form in which you agree to give away your personal data.  Also, this legislation should care about legitimate purposes of processing of personal data.  It's not possible to collect personal data without any specific legitimate purpose.

It is also a specific feature of Russian legislation that it is not possible to mix or combine databases with personal data that are collected for different purposes.  Also, we should also care about the relevance of the personal data, and operator should take any necessary measures to keep this data updated or delete them in case there is no need for collecting them anymore.  Here there is a fifth property that personal data should be collected no longer than processing of personal data required this.

We have some exceptions from the federal law.  For example, personal data which is collected for, by individuals for family, personal needs.  Another exemption is personal data which is collected for the purpose of archive legislation, special legislation of archival funds, it's not suitable for collection of personal data.

Other specific rules could be implied when personal data is collected in case of filling the unified register with individual entrepreneurs, and of course special rules which are involving everything when this personal data constitutes state secrets of Russian Federation.  Special categories of personal data legislation, personal data of these categories cannot be collected.  This is personal data concerning race, nationality, political opinions, philosophic and religious views, health conditions and intimate life, it is not possible to collect this kind of personal data, in any kind, with some exceptions, of course.  But in general it's not possible to collect these specialized personal data.

This is Roskomnadzor which is authority authorized for personal data in any other spheres than Internet Governance, for example, blocking and filtering of Web sites, this is one of the major purpose.  First of all, it keeps operate, it keeps register of operators of personal data and it keeps registry of violators of legislation of personal data.  I will tell you about what will happen in case of this violation.  For example, when the Council of Europe convention, the convention prescribes that authority and sphere of personal data should be independent, but the Roskomnadzor, its structure is independent from the Ministry of Communications.  That is why Russian Federation is the country where, which is not suitable for appropriate data protection in accordance with this, in this convention.

The major problem in legislation of personal data in Russia is localization of personal data.  Personal data of Russian citizens should be localized on servers inside the Russian Federation.  That's why some companies are creating Russian markets just for economic reasons, that it's not possible for them to rent servers inside of the authority of Russian Federation to collect personal data of Russian citizens.

There is the process of blocking of the violator Web sites.  The major feature is the 15 days that is given to the organizer of dissemination of information to correct violation.

In case this violation would not be corrected, Roskomnadzor is able to block the Web site that contains violation of legislation of personal data of Russian citizens.

Lots of critique for this legislation, for this data protection legislation.  Russia is not unique in localization of personal data, but there is a lot of critiques from the NonGovernmental Organisations, from the independent international organizations, that it limits freedom on the Internet actually.

This is how this registry looks like.  It is not possible to see the whole register.  It just is possible to search in the registry, in case this or that particular Web site is violator of the personal data regime.

There are some problems of implementation of this law.  Some economic experts counted that the countries' GDP will decrease, by the or in case of implementation of this law.  This law creates major problems in crossborder transfer of personal data.  Of course, it's not possible to establish nationality of Internet user.  In some cases it's possible to enter any kind of nationality.  And of course, it's the bypassing of this blocking is very simple by using VPN, mechanisms, anonymizers and other things like that.

There is issues how to determine possible Russian jurisdiction over Web site, when Web site is used to domain name associated with Russian Federation for example, dot RU dot su dot Moscow, users of Russian language without automatic translations, that means that Web site is devoted for Russian citizens and is market oriented for Russian citizen.  And also payment in Russian rubles also is possible.

This is the possibility for spreading governmental control over Internet activities, and Roskomnadzor says we will continue strictly implement this law.

The only major victim here is LinkedIn, which is completely banned in Russia for a violation of these personal data legislation.  It is not possible to use the LinkedIn social network in Russian Federation.  I can see that it is possibility for other social networks, that will not implement these data localization law.

If you have questions, I can answer in the end.  Thank you very much.

>> LUCA BELLI: Thank you very much, Andrey.

(applause)

Sorry if I stopped the enthusiasm.  I suggest we have another presentation and then we open for a couple of questions.  Then we keep on with our presentations and then we open for the debate.  Please in BRICS order, Anja.

>> ANJA KOVACS: Thank you, Luca.  As always, it's a delight to be on a BRICS panel.  It is positive to have in a meeting like this panels that foreground global thought perspectives.  I'm going to approach my comments differently than the previous speakers, I got inspired by the session I was watching on digital sovereignty.  I was grateful the Ambassador was there to put some of the global thought questions on the table.

A lot of what you raised in your comments is also the broader framework in which the data protection legislation in India has to be located.  What I want to do is first talk about our draft data protection bill, I'm going to talk about the draft that was released in 2018.  We know that right now in Parliament it is announced that the bill is going to be introduced.  We know that there will be changes.  But that version is not public so I can't say anything about it sadly.

Secondly, I want to talk about why it looks the way it looks.  We have had in India in the past two years a lot of initiatives actually that touch on data, not just this draft data protection bill.  That has generated a lot of enthusiasm, some have called the draft data protection, personal data protection bill in India GDPR light but at the Internet democracy project, we think that is too generous an assessment of the law.  There are three areas in particular that I want to highlight as very serious weaknesses of the bill like that in the digital age.

The first one is that the draft in India does not have any next generation rights at all, with that I mean rights that actually address big data questions, right?  The right to explanation on automated decisions, for example, or the right to object to processing of personal data when it's done in the name of public interest or legitimate interest.  Or the right to object to processing based on your gender for direct marketing, all of these have been included in the GDPR, we don't have any of these that actually address the new challenges that come with big data in the draft law in India.

A second area I want to touch upon is around consent, and the way consent has been framed is what at the Internet democracy project we call the benevolent patriarch.  Consent is seen as a grant for processing but only operates as long as the benevolent patriarch agrees so there is a ton of exceptions.  When it comes to private entities in general, a lot of consent is left, or weakened by provisions that say that data processing after consent has been given is still allowed based on what is fair and reasonable.  But what is fair and reasonable in the digital age is precisely one of the reasons why we are having all of these debates.

And to leave it to a data protection authority to then decide what is actually fair and reasonable is really just passing the buck.  It's a undermining of the consent provision right there.  We also have in the same law specific provisions that give very broad leeway to employers to collect data without consent from their employees, including for all forms of assessment of their labor which nowadays can be almost anything.

As well as, provisions that actually give the state the right to collect data without consent for any benefits that the state provides, as well as for the provision of any certificates, etcetera, by the state.  So again, this is a really, really broad ambit for the Government to collect data of people.

This is especially important because when we come to the third big area of weakness is that of state surveillance.  In the original version of the bill that we saw last year, it is important to know that there were also horizontal provisions for data localization in this bill, where at least a copy of every, of all data would have to be stored on a server within India.  It seems there are rumors that that might actually not go through in the current version of the bill, so that there might be a much more narrow form of data localization.

But even without the data localization provision, there is very, state surveillance is a strong exception within the bill, surveillance is a ground for exception of most of the provisions of the bill.  The surveillance supposedly has to be necessary and proportionate, in the language of the draft, but we had very little checks and balances in India to indicate what necessary and proportionate means.  This is going to be litigated.  As a nonlawyer, I don't have the patience to wait another ten years to see what comes out of that, right?  We are going to set new habits around this.  And that is quite dangerous.

What is also important is that the state in the bill is treated as a unitary entity, and that is important because if you see that the Government actually has the right to collect so much data from its citizens, and that we have in other aspects for the provision of benefits and that we have in other laws provisions that actually allow surveillance agencies to access later data for example for the investigation of any offense or the prevention of any offense, then you can see that even the provisions that have to do with benefits that the Government provides actually indirectly can be a way to serve the surveillance engine of the Indian Government and as a user perspective that is just not strong enough a protection.

Now, how is this possible?  Luca mentioned in the beginning we have a very strong judgment from the Supreme Court in 2017, reconfirming that Indian people have a right to privacy under the constitution, even though we don't have an article as such in the constitution.  What you have seen is that actually when it comes to protection of privacy online in India, since then we had a few amazing verdicts that strengthen people's rights to self-determination and autonomy.

You can see a conspiracy theory in this, but what we argue at the Internet democracy project is that this kind of focus on collecting data from people really is an extension of the Silicon Valley thinking around data as a resource, as something that is simply out there.  Coming back to the previous session, and some of the comments that the Ambassador made, if we, if data is really a resource, I think it is no surprise that definitely for a country like India, where you have a market big enough for India to be able to capitalize on the data itself, to want to do that, and to frame laws accordingly, to actually make that possible.  For us the challenge is not simply that perhaps our Government doesn't always take rights seriously enough, because like I said, I think that context of growth and development is important and the opportunities that data provides to increase growth and development are important.  But what is really at stake here is how we conceptualize data in the first place.  And that is a challenge that I think we see more visibly in a country like India but it actually is just as relevant in Europe, for example.

The problem is that we have erased people and specifically people's bodies and the embodied experience of data and the implications that has on their lives from the way we frame our legislations around these issues.  I'm happy to say more about that later, if people have questions.  But I'll leave it here for now.  Thanks.

>> LUCA BELLI: Thank you very much, Anja.

(applause)

I would like to open the floor for a couple of questions, the presentations so far have been quite thought provoking.  I will take two or three questions to have a little debate, and then we can pass to the other segment.  Yes.  I see a hand here and one there.  Let's start with these two.

>> AUDIENCE: Hello.  I am Brazilian researcher, and also currently working in the European data protection supervisor.  My question is specifically for the Brazilian Government representative, so to Mr. Achilles, I would be delighted if you could provide us some information on the EU agreement and I will make the specific question that I want, so well, some information has been already published like the European Commission information on the agreement, it says that it focus on the manufacturing industry, but it also covers equipment and cars and telecommunications service, so many part, a lot of industry that is connected with this digital economy as well.

Any information, data protection has been considered issue so far in this particular agreement, and what I see here, the only information was something that says that it will become easier for Mercosur to export to EU as far as we respect the EU high standards very general, because we are talking about many regulation goes in the EU high standards and my question for this panel, it's like specifically to the data protection regulation.

>> LUCA BELLI: Let's take another question there.

>> AUDIENCE: Hello, I'm a student from Hong Kong.  We understand that it is advisory to have regulations about data protection, and every country should do this.  There are United Nations initiatives, the GDPR and Convention 108 Plus in Europe, etcetera.  However, there are always different stances, when we view from different perspective.  Speaking for different stakeholders, for tech giants including search engines or smart manufacturers they prefer loose regulation which benefit their businesses while for academic experts they prefer stricter regulation which better protect our privacy.

How much should companies, that will be affected by the framework, participate in the establishment of our data protection framework?  Thank you.

>> LUCA BELLI: We don't have any other questions at this point.  I will ask the panelists to provide some quick replies, and after a couple exchanges we can come back to the presentations.  Ambassador Achilles.

>> ACHILLES ZAULAR: Thank you, as to the question of ‑‑ what is your name again?  Question of Chiago, amazing the number that work in Internet of Brazil.  I know 6 or 7 of them more or less.

As far as understanding the current European agreement, the issue of data protection is not sufficiently regulated.  The final text has not yet been published, just the guidelines and there is fine‑tuning, but I doubt that there will be more than what you mentioned.  For us to facilitate digital trade between Brazil and the EU, it should be necessary to negotiate and sign an additional agreement, whereby each side recognizes the data protection standards of the other side as essentially equivalent or sufficiently equivalent to those of the other side.

We are basically, to boil down to the European Union, assessing the Brazilian system and its implementation.  As I mentioned, the general philosophy of the Brazilian law is close to the general philosophy of the European law, much more than what happens in the other BRICS.  There may be some issues about the design of the data protection agency, that's what I heard in formal conversations, whether it's sufficiently independent, whether ‑‑ but the design of the Brazilian data protection agency itself is not completed, it's still in the process of being implemented, and the issue has been discussed in Brasilia, has been discussed for the past several months, and I think it will still be discussed, the setting up of the data protection agency has started around what you call in Brazil which is some part of the presidency and they are designing it.  Certainly, this consideration of facilitating, for Brazilian companies, to operate in other markets, we are certain will be a consideration.  If you don't do that, what happens, for instance, let's think about laboratory exams, medical exams for instance, to process medical exams in Brazil from patients, I'm pretty sure that you have to comply with the European data protection standards, who has the right to look at the exams, what are the consequences if you fail to protect the privacy of the patient.

This is just to make one example of the hundreds of issues that have to be addressed, when the time comes to, I'll say in English, regulate, to pass the subsidiary regulations that exist under the law.  You sound like a young business professional, I think you have work for the next 20 to 30 years if you stay in this field.

>> LUCA BELLI:  I would like to abuse my position of moderator to provide a comment on what you are saying.  Actually the BRICS analysis is very useful also in this regard, because for instance we take Russia as an example, Russia did not receive adequacy decision from the European Commission precisely because the agency, Roskomnadzor data protection agency is not considered as independent, which is an essential requirement to provide adequacy decision under article 47 of the GDPR.  This is something that should make Brazilian lawmakers think about the revision of the new Brazilian data protection authority, that should, can, according to law, can happen in two years, is not sure it will.  But it can happen.  So although now the Brazilian data protection authority has been conceived as part of the presidency not as a full independent body, it can be reviewed in a couple of years, and I think that if the Russian example is of any use, Brazilian lawmaker will consider seriously the creation of an independent body to have adequacy decision to have free flow of data between Brazil and EU.  Sorry if I speak too much.  I will let panelists reply to the second question.

>> MIN JIANG:  Thank you for the students from Hong Kong for raising the fantastic question.  It is really wonderful to have students at these kinds of events and panels.  I think a lot of the adults in the room would agree that the Internet by now is really messy and messed up, and it's good to hear from your voices and hear, share your thoughts about what we need to do.

Quick response to your questions about the concentration of power in the hands of few monopolies.  In the United States we have roughly four corporations controlling to a great extent what people around the world, billions of people can see and can access.  Recently, I would recommend the audience here to watch a brilliant takedown offered by Sacha Baron Cohen recently on Facebook, and it's a beautiful takedown.  And he basically dismantled the idea that the silicon six, six people, these were corporations, should determine how billions of people should access the information.  It is a problematic model.

That has been called into question.  But I want to raise the point that in addition to corporations, we have states around the world also increasingly asserting control over their sphere of influence, so perhaps as another point for discussion later on.

>> PETER KIMPIAN:  Thank you very much.  I would like also to thank the students raising the question, I'm very happy that you start understanding the essence of passing valuable legislation.  I have some good news and bad news for you, from the Council of Europe.  The Secretary‑General last year decided to exchange a letter of agreement with major Internet companies, and their associations and which open the way for cooperation with our committees including the committee of convention 108 on data protection.  This is the good news.  The bad news, nothing happened, nothing much happened since.

I think there are some more diplomatic answer and maybe more cynical answer to this.  I leave you choose between them.  But I think that the intention, even if the intention is there, there are lots of questions how things should implement this and for this we need additional efforts from both sides.

>> ANJA KOVACS:  I want to respond to this question as well, specifically in the context of a data protection debate in India, because I think first of all, no matter how much we talk about multistakeholderism in the IGF things like data protection law those are decisions taken by a Government.  Right?  At most what the Government will do is consult, the question is who are they going to consult?  This is actually a really important question.  If you look at the debate around our data protection law, the data localization requirements were proposed as a move intense those big six, it's interesting to know some of the richest Indian industrialist close to the Prime Minister also have prepared to set up massive data centers which they are going to make a lot of money out of.  Then actually the start‑up scene in India got involved in the debate and said but if you are doing this, for us, the costs are going to be so high, that the ecosystem in India is never going to be able to develop in the same way.  Right?

I think it's really important to think about which companies get involved, and related to that also then to have a transparent and open debate, because I think part of the challenge with many of, a lot of business involvement, is that big companies also have the direct line to a Ministry, for example and what is set is not made public.  If you have public consultations in which everybody actually has to make their inputs into this policy process public, you can have a real national debate about how do all these interests of both companies and citizens come together, because it's not like companies are not outside of that, having a flourishing economy benefits people.

>> LUCA BELLI: Excellent.  Very interesting conversation.  Yes.  Andrey, one minute.  Then we can pass to the second segment.  Please go ahead.

>> ANDREY SHCHERBOVICH: Just to make sure that the principal stakeholder he should be insured, and also I would like to mention dependence of the Russian Internet companies on the Russian, let's say Government, and the governmentally controlled business.  This is question of the third level regulation, to make this regulation effective, we need to improve and implement the multistakeholder approach.  Thank you very much.

>> LUCA BELLI: Excellent.  Now we can pass to the second segment of this panel, with presentation of Professor Min Jiang.

>> MIN JIANG: Thank you, Luca, for including me in this conversation.  China, as you may know, like many other countries, has been formulating its own approach towards personal data protection, in part in response to GDPR.  My remarks here will focus on two questions, one, why does China's approach to personal data protection matter here?  Second, what are some of the key features of China's current data protection policies.

First China's approach to personal data matters a lot economically and politically to provide some context, China has the world's largest Internet population of 850 million users, almost three times the Internet population in the United States, and more than ten times the Internet population that we have in Germany.

This large user base has supported a robust Internet industry in China.  In fact, with companies well‑known around the world like Huawei, ZTE, Alibaba Tensend and Tick‑tock recently, China has developed over the past 25 years the owning alternative, digital ecosystem that can rival Silicon Valley's in both size and sophistication.

Also strategically and politically, if data is now more valuable than oil, then China has lots of it, and it is really feeling the development of its technological industry in areas especially as AI.  China's successful state driven AI program is now seen by countries like the United States as a strategic and security threat.  So we are witness, but we are witnessing now a new kind of Sputnik moment that is driving the ongoing U.S. China tech rivalry centered around AI and 5G, and accelerating the technological decoupling of the two countries.

Next let me turn to the evolution of China's personal data protection policies and highlight some key features.  It is not hard to see that China took a very centralized systematic and gradual approach here.  Policymaking has largely been coordinated through a newly created policymaking body called the Cyberspace Administration of China.  It is a inter‑Ministry policymaking body, headed by the Chinese President himself.  This policymaking body passed in 2017 the foundational Cybersecurity law of China, which includes a very broad set of language about personal data protection.  In the same year, a technical standard called personal information security specification was released with more detailed provisions.

The specification, which is very similar to GDPR, it needs to be recognized for sure for its details, but at the same time, it is a technical standard that lacks the GDPR's legal status, what I'd call China's GDPR 1.0.  The situation is going to change quickly soon, as drafts of two important new laws were released earlier this year.  The first one is called the Data Security Administrative Measures aimed at regulating personal data within China.

The other one is measures on security assessment of the crossborder transfer of personal information, which targets of course crossborder data transfer.  Several aspects of these developments stood out to me regarding China's personal data protection policies.  First of all, China has not historically been a very strong champion or advocate for personal data protection and privacy.  These new measures are both an answer to GDPR but also a necessity, if the Government in China is trying to put its arms around data in China.  And also, to those who say that Chinese people don't care about privacy, I think these new laws are providing new legal instruments for citizens to push back, especially on Internet companies when they cross the line.

Recently, as a matter of fact, the Chinese public has successfully pressured firms such as And Financial, a Alibaba subsidiary and deep fake app called Zow to change their privacy settings and protect user rights.  Second, the Chinese Government has a genuine interest to bring order to a chaotic data market by decreasing business malpractice and protecting user rights.  Doing so helps the Government to make the case that they represent and champion the people.

Third, China's new data protection policies, I need to point out, do not negate Government control over user data.  In fact, if anything, they attempt to do the very opposite.  The Government has done so by leaving a giant loophole in the related legislation that allows authorities to collect and use personal information without user consent, or inspect network operators and demand them to turn over user data to safeguard things like national security, public interest, social stability, and economic regulation.

So this gives, as you can tell, the Government a very immense latitude, right, but also it is a problem, because foreign security regimes are now arguing that Chinese companies like Huawei cannot be trusted.  So this is a kind of catch‑22 situation.  I think it's very difficult for the Government and for Chinese tech giants who are going to go abroad to wiggle out of.  Fourth, similar to many other countries, like Russia and India, China has introduced data localization provisions.  The current draft of the Chinese crossborder data transfer law specifically requires foreign network operators that collect Chinese national's personal information inside China to designate a legal representative or entity within the territory, so you see the process of reterritorialization of data.

Finally, China has been quite innovative, I must point out, in addressing certain aspects of personal data protection, for instance, the aforementioned specification actually includes a very detailed privacy user agreement template to guide business for compliance.  For another example, the new data security administrative measures also anticipates problems created by new technologies such as deep fake, right, and so actually requires business to designate and label content that is as synthetic when the content is created and generated using big data and AI.

I think some of these new proactive measures can serve as really interesting examples, as the international regulatory community is grappling with different aspects of data regulation.  I'm happy to say more about China's approach to personal data regulation and how, what it means for BRICS countries and other regions.

(applause)

>> LUCA BELLI: Before giving the floor to Peter, I want to make a couple of comments, highlighting, actually we have also in the CyberBRICS research spotted two macro tendencies.  One is that in spite of a formal binding treaty or agreement, BRICS countries are converging towards many elements of their national regulations, principles, for instance, that are enshrined in all the regulations are very compatible, consent, data immunization, security, accountability, appropriate specifications, they are all present in the BRICS frameworks, international frameworks.

On the other hand, there is still a lot of room for improvement for all the BRICS countries.  So the purpose of this session and also our research is precisely to map what exists in the BRICS, which is already extremely meaningful in terms of research, as there is no research in this sense so far, and then identify what could be the best practices that BRICS countries, even other country, could follow to, on the one hand protect individual's rights and on the other hand, of course, create a legally predictable environment for business, so to kill two pigeon with one stone.

I would like to ask Peter to provide his opinion on our debate, not only as the Council of Europe is an organization where Russia is a member since many decades, but also because the Council of Europe is the first intergovernmental organization to have created an international binding framework on data protection Convention 108.  So no one is better positioned than Council of Europe to provide insight and suggestions on how to enhance the data protection frameworks.

>> PETER KIMPIAN:  Thank you very much.  Thank you for having me on this panel.

Instead of going through the outlining Convention 108 and its provisions, as Luca suggested, I would like to drive through the latest development with our, when it comes to our relations as organization and as more precisely data protection unit or data protection committee towards the BRICS countries, and I must say that when it comes to the first letters, first letters, we have some moderate enthusiasm and the last ones more questions than answers.

But without further ado, I would like to start with Brazil, and the reason for our enthusiasm towards Brazil is that of course, that the Brazil passed a law on data protection legislation which we have been also following with great interest, and immediately after or even maybe during the process, Brazil has requested observer status to the committee of Convention 108 and participating in our meeting already as an observer, from the Brazilian representatives, but the Ambassador will confirm it, that Brazil also wish in future to consider joining Convention 108 and becoming a party to the convention.

When it comes to the second letter, Russia, we now turn to family affairs, as you rightly pointed out, that Russia is a member state of the Council of Europe, and is party to the Convention 108.  More importantly, Russia was among the first signing the amending protocol on convention, on the modernized Convention 108 last year.  But we have some issues.  These issues have been discussed with Russian counterparts, at the technical level as well.  But it has also been, my organization was very open about these issues, and namely the data localization and independence of the authority.

We have been having a good feedback from our Russian counterparts that they will wish to tackle those issues, and to find solutions in the next draft which is going on at the Ministry of telecommunication and will be finalized soon, which would also serve as an instrument for ratification for the modernized convention when it's fully amending protocol.  But in parallel to this we have also listened with some concerns Mr. Lavrov when he was proposing to the BRICS country to develop legal framework in the field of fight against Cybercrime and data protection, so as a country which is committed to Convention 108 and to the construction that is going on at the global level under the framework of the Convention 108, how would this be in line with what BRICS legal frameworks that are to be developed.

When it comes to India, we are turning to the more questions than answers part.  I can only view that I participated at an international conference last year, when I met the State Secretary, from Ministry of Justice, who is responsible for the draft legislation from the Indian Government, and it was during the WhatsApp scam, I don't know if you heard about it or you are familiar with the issue, but all our discussion at this open conference was revolving around data localization.  Many agreed ‑‑ argued that India should look into the Russian model, and the model in Asia, which have opted already for some kind of data localization model, which we as Council of Europe and Convention 108 would not favor, and I said this openly, because we believe that any protection framework would have to guarantee an appropriate level of protection of individuals in the digital age, while ensuring free flow of data.

And besides technically it's not possible, and I hope that there are some ICANN fellows here who will also support me on that.  I think that it can create more problem than solutions.  But of course I'm happy to discuss it.

When it comes to China, again, our questions just goes on, our questions just go on.  Very similar to India, I met one of the responsible for the Chinese Government for the new legislation at the closed‑door meeting organized by the GSMA for which we are very thankful.  And we could have a discussion on the issue of privacy and the Chinese Government views on the protection of privacy.  But that was a closed‑door meeting.  So I would not be able to reveal too much of the information.

But it is, I mean to say that we wanted to start some kind of cooperation or some kind of discussion in the framework of our committee, where an observer status and an acquiring observer status is a fairly relaxed procedure for a country or for a state authority or a Civil Society organization as well.  But all my E‑mails have been turned down by the five O, so I think that they never got there, and never get an answer either on that.

South Africa is very interesting, because we know that there is a very active and very well‑established data protection authority in South Africa, with a privacy legislation which has been the first in the continent.  And although we have a great interest in the African continent, and we are providing as Council of Europe technical assistance to many countries in Africa, we couldn't have any established relationship with any authority or South African Government on privacy issues.  We hope that in the future that that will change.  There is also a African initiative which the Council of Europe support, regional initiative to establish a network of data protection authorities for the continent.  We believe that at least via this, we will be able to start discussion and exchange, because we believe that for the construction of a protective framework, having these two building blocks that I mentioned, that appropriate protection of individuals and free flow data, we need discussions and we need it now.

>> LUCA BELLI: Excellent.  As we still have almost ten minutes, we may have discussion indeed.  So I hope that there will be other comments and questions in the, amongst the participants.  If there is anyone from South Africa that wants to chip in and provide some inputs or some feedback on what we have been doing and saying, please don't be shy, and take the mic.  Do we have any comments from the floor?  Yes, please go ahead.  I think you can take one of those mics there.

(microphone feedback)

>> AUDIENCE: Thank you.  My name is Dominico from a university and a sociologist, but trained as a linguist and cultural studies scholar.  My question to the BRICS audience but also of course to the panel is, don't you think this personal data and sovereignty and splitting Internet, etcetera, narrative is also deeply rooted to cultural and linguistic problems?  All these effects, all these laws in Russia and in other countries like, not just in China but in general, it's ...

>> LUCA BELLI:  You can take one of those mics.

>> AUDIENCE:  These problems or outputs are generated by sort of geopolitics of knowledge problem, so there is also, who would be the future, who will be the future rulers of the digital knowledge in the future?  It seems like all these things boils down also to cultural and linguistic problems, which are affecting not just the BRICS but everyone else in the world, because we have companies that have standards, that have applications, and they are basically Anglophone.

>> LUCA BELLI: Do we have any other comments before we provide replies?  Yes, please go ahead.

>> AUDIENCE: Hello, everybody.  My name is Eduardo, I'm in Brazilian research too, but I'm here to represent Brazilian youth.  It is a great pleasure to be here giving a voice to Brazilian youth at IGF.

My question is about the national data protection authority.  In the BRICS vision, is there a BRICS consensus on the performance of data protection authority?  Do you think that authority should be independent of the state or supported by it?  How to prevent it from being extremely financially punitive from companies, and what are the best course of action, extent proposed policy or best practice.  Thank you.

>> ANJA KOVACS:  I have a question for Peter, actually.  I like to think also about some of the comments in that digital sovereignty session which I'm not sure if you were there but when you said you need to balance data protection and the free flow of information but like the Ambassador said, the challenge to maintain the free flow of information, the inequality of power relationships on the Internet has to be addressed and the enormous control that some companies have on the Internet has to be addressed and, the argument that I was trying to make I think in India it is having effect on our data protection legislation and the proposals that are being made that it's not being addressed.  It is easy to keep saying like there should be a free flow of data.  I'm saying that as somebody who does not believe that we are going to benefit as users from the association of national sovereignty over the Internet, but we are clearly not benefiting as users from the association of U.S. companies monopolies over the Internet, and it speaks to the question about the cultural values as well, right.  So I wanted to know does the Council of Europe have to say more about that also, and what might be a way to resolve that.

>> LUCA BELLI: I'll take the last question and we can finalize the panel, the answer after the question, please.  One second.

>> AUDIENCE: Thank you.  I'm from France, I work at WDTO but speaking on my behalf, I would like to come back on the data localization requirements.  The question is simple.  Why data localization requirements, because there are alternative methods to address competition, we can think about data trusts that can be a model, for privacy, we can increase users, online users' control over the data, with more transparency.  Right?  So why for example in Russia, the Government has taken the approach of having data localization requirements, or in India they are thinking to do so.  I agree with the gentleman from the Council of Europe, free flow of data is better in terms of trade at least, and for addressing policy objectives which are legitimate, we have alternatives, right, so why.

>> ANDREY SHCHERBOVICH:  Thank you, Luca.  I'd like to address all of the participants that ask about national sovereignty.  My deep belief, I believe that there could be no sovereignty over the Internet, and of course, one of the first authors of the questions is absolutely right, that connected localization provisions with the sovereignty over the Internet, when we introduced in 2016 that data localization, now we introduce the sovereign Internet law.  This trend of course is really negative.  The only possible things to answer is to develop international frameworks, I believe that developing the multistakeholder environment, like this, where we are here.  So this is the only ‑‑ otherwise the Internet could be actually just dismissed into the national segments, and people around the world will lose the greatest opportunity, opportunities ever for communication.  Thank you.

>> LUCA BELLI: Anyone else willing to address the questions?  I have also comments, that actually originate with what was said before about seeing the, not only the perspective narrative of data localization versus free flow of information, but also the perspective, I think is necessary to see also another side of the coin, which is the free flow entails a bidirectional flow of information.  When it becomes an avenue for a scramble for data, to extract data, unilaterally, from one nation and bring it to a foreign service where value can be extracted, and also taxes will not be paid in the country where it is extracted, because data of course is a material good that will not be, on which taxes will not be levied, if it is processed and valued and rated in a foreign server, then one can understand that actually that localization it's of course linked to sovereignty, but also it's deeply intertwined with protectionism and the feeling that many countries, especially those with huge populations producing huge amount of data, are starting to think about data as a resource, and the fact that the free flow of information actually on paper looks like a great exchange of information, but in practice looks like a drilling and draining of a valuable information out of a country into a foreign country where those data are accumulated and then value is extracted.  So I think it is necessary also to have this kind of perspective in mind.

Now, sorry if I again abuse my moderator perspective to speak too much.  I think other panelists have replies on this.

>> ACHILLES ZAULAR:  Thank you.  Your comment saved a lot of space, so I don't need to go back to what you said.  I wanted to answer Eduardo, asked about if there is a common understanding in BRICS countries about data protection.  The short answer is no.  The political, economic, social systems in the five BRICS countries are very different.  And this translates into a different approaches to, as you just heard, different approaches to data protection.  We are just finishing the Brazilian Pro tempore presidency of BRICS, what the motto more or less that I don't even know if you said to the other BRICS countries, I think it did, but it was our thought internally as we prepared for the presidency, which I think it was pretty successful presidency, was cooperation, not coordination.  So that's seek avenues of cooperation that are beneficial to the BRICS countries, but are not necessarily going to have the same coordinated position on X, Y and Z.  If we don't, we exchange, if we don't, we take note of that, it's a little bit different than the situation let's say within Mercosur where we do need to seek coordination or in context of agreement with European Union where we see the need for the, in the context of what will be an association of free trade agreement, we need to bring the legislations together much more.

These are totally different animals, let's say the Mercosur European union and the BRICS and both are valuable.

My last comment about the question by Professor Rossi, right?  Dominico, I found your question fascinating.  It gave me the desire to hear you present it for an hour, this kind of, whether the divide that we see in the world is a linguistic or symbiotic divide.

My own taste for philosophical inquiry leads me to believe there is something concrete and truthful about what you said.  We live in a world in which different, let's say, regimes of truth are competing for space.  Who gets to decide what is true, what is false.  Now we have this concept of fake news.  Who has the authority to say that some piece of news is truthful or fake?  There is a relationship of power that is involved in this debate.

My Government campaigned last year and was elected on premise of strengthening Brazilian sovereignty.  We tend to be more pro sovereignty than, today, 2019, than maybe we were 10 years ago or 20 years ago.  We are not isolated in that.  It's a general tendency.  But the assertion of sovereignty doesn't mean isolationism, and also our policy is a policy of a trade opening to the world.  We want to lower trade barriers and at the same time assert sovereignty.  That is why I thought it particularly interesting to hear the speech by Chancellor Merkel yesterday, because sometimes they debate here at IGF, you have the people who are pro sovereignty against the people who are pro global Internet.  She was very keen to note that she defends digital sovereignty, inside a global, single, free Internet.

That is why in all the round tables, that is an exercise of German or Hungarian dialectics that seems to me to be particularly fruitful, and sometimes we tend to look in order to treat the economic side of things with Professor here, he also said behind the discretion sometimes there is also philosophical debate.  What does it mean to be sovereign in an open world?  It is a question that will stay with us for a long time.

But the Brazilian people, and I think it's something that transcends the left/right divide, do not want to be just passive adapters of whatever is decided in the so‑called global community.  No.  We want to make our own choices, and implement them as in an open world without isolationism.  That is the challenge.  That is the challenge that we all face.  Thank you.

>> LUCA BELLI: Excellent.  Thank you very much for your remarks.  I would ask the other panelists if they want to provide some final remarks, not more than one minute because we should wrap up as soon as possible.  Please be my guest.  Yes.  The only one, but it may take more than one minute is Peter.

>> PETER KIMPIAN:  Quickly, because time constraints, and it will be practically challenging to do this in a nutshell.  But we have the starting position, the right to privacy as defined by article 12 of the United Nations declaration of human rights is an individual, but universal human rights and every state has a positive obligation to uphold and to protect these human rights.  These are individual human rights which belongs to the person and which is in relation, also referred to information of self-determination and autonomy, and also human dignity to certain extent in certain circumstances.

But this is not a collective right.  It is an individual right.  More than 40 years of the ECHR caseload have made a very good distinction that we reproduced, and legislature reproduced in the Convention 108, the modernized form, what is the difference between human rights and state interest like public security.  You can balance human rights against each other, human rights, right to privacy, right to freedom of expression, you can balance against each other.  But we are not balanced, human rights against public security.  What should we do, what states should do according to our Court of Human Rights is that include into the protective framework all consideration necessary to protect and to, to protect and also to respond to state interests, and also to keep public security.

There are extended negotiations around the world, but also in the international data protection community.  And I'm mentioning some of the latest cases, I'm sure Facebook would not be very favorable to be again fined $5 billion next year.  I'm also pretty sure that the discussion of dismantling Facebook, not on privacy grounds but on different grounds, would also, if the U.S. Senate will lead to a conclusion, also the Google in Europe has been fined recently, not the first time these 2 cases is before the court.

What we believe in is basically, you want to protect the rights of your individual, you want to protect your individuals in different circumstances, is that you have to refer to the data security provisions of the modernized Convention 108, but you should not mix this up with Cybersecurity and with fight against Cybercrime.  These are also different disciplines that have to be tackled in a combined way.  And at the end of the day, you will have and you will arrive to reach a protective framework where individuals can still operate automatically.

We believe that it's better to take part in this international and multilateral negotiations because data sovereignty is basically an answer to the claim, which I don't believe it's true, that multilateralism is not working and it's not effective anymore.

>> LUCA BELLI: Okay.  Do we have any other comments before we finalize?  Please.

>> MIN JIANG:  It sounds like there are different interpretations of sovereignty, from this afternoon's data, Internet sovereignty session, we heard Vint Cerf asserting the Internet is sovereign in its own right, and other people argue about nation states should have sovereignty.  You can argue all these companies and Internet giants are sovereign in their own right and extracting a lot of values out of the system.  So we shouldn't be treating the Internet as a wonderful flawless infrastructure, flow free of information without considering the socioeconomic infrastructure that has been erected over the past 20, 30 years.  There is the argument that individuals should be sovereign in his or her own right, having control over their data and also having control over their body.

How does that factor into this conversation about sovereignty, I think more needs to be said about that perspective as well.  In terms of value and extraction of value, there is a huge imbalance in terms of the user end and the company end.  For example, Amazon is a trillion dollar company.  It pays zero tax, federal tax to the United States federal government.  How is that fair?  Right?

So I think the U.S. Government has to think about processes and other governments have to think about processes of getting a fair share and fair shake out of the system that is grossly unfair and unjust right now.

>> ANJA KOVACS:  I think there is a link between the question of geopolitics of knowledge sovereignty and question of data localization.  One part of the answer is what Luca said earlier, how important data as a national resource has become.  And in the context of India, it's important to understand that the Government is also looking at initiatives to make data from companies like Uber, that Uber gathers about what people do and traffic lights available to start‑up communities in India to build apps on top of, etcetera, or whatever like products.  Right?  They are really looking at this as a way to build a data ecosystem that actually builds value for Indian people based on data from Indian people, rather than exporting it outside.

But in addition to that, the cultural arguments, it's not as if the cultural issues don't matter, but they don't play into the sovereignty debate.  This is really about hard core geopolitics and about national interests, it's about money.  It's also really fundamentally about security.  The Indian Government has been looking for ways to get access to data, to great encryption, to have data localized at least as early as 2011, when they tried to get Blackberry to give them access to encrypted data on Blackberrys and was successful in the end.  But that has been a continuous threat.  They have looked at different arguments, including hate speech on the Internet, for example.  It's like now it seems finally business coming to the conclusion where it seems acceptable.  But these are really the two things, money, economics and national security.  The security issue, just to say I do think it's also real, we have in Delhi we had terrorist attacks.  We had in Mumbai, we had 26 of November was the anniversary of an attack where 200 people lost their lives.  It's real.  It's a complicated question in that sense.

>> LUCA BELLI: I would like to thank everyone for the excellent presentations, comments, questions.  I would just like to remind you that if you are interested in the issue, you may find a lot of interesting material on CyberBRICS.  We will release a book in some weeks.  We will have a panel at CDPP at personal data regulators in the BRICS at the end of January.  So a lot of other interesting things for you interested in the BRICS upcoming.  Thank you very much for your participation.  And see you in the next events.  Thank you very much.

(applause)

(end of session at 1825)