FINAL TRANSCRIPT
EIGHTH INTERNET GOVERNANCE FORUM
BALI
BUILDING BRIDGES ‑ ENHANCING MULTISTAKEHOLDER COOPERATION FOR GROWTH AND SUSTAINABLE DEVELOPMENT
OCTOBER 24, 2013
11:00 Am
WORKSHOP 335
PRIVACY FROM REGIONAL REGULATIONS TO GLOBAL CONNECTIONS
********
This text is being provided in a rough draft format. Communication Access Realtime Translation (CART) is provided in order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings.
********
>> FREDERICK DONCK: Ladies and gentlemen, I would like to open the session. My name is Frederick Donck. We are based in Brussels. Any questions you have about our activities, find us after the session. Enough of the commercial for the Internet Society. I'm happy to welcome you today. We will be talking about privacy. We already had several conversations, not just here in Bali, so I would like to move to the next level. We know that privacy is a really difficult issue. We don't have any universal definition of privacy. Really it's just about context, about users' expectation, and of course you have different legislation in different regions of the world. So the question is how can we deal with different legislation, different privacy expectations when it comes to privacy in the online world.
There are convergencies and we will address those today, but as I said, we would like to move this conversation to the next level and investigate what might be the core principles in strategies that we need to achieve a balance approach, so privacy and that protection is effective both international and regional level.
So those are complex issues. I shall introduce the panel in a few seconds with one general given question for all of them. I would like, before that, make some housekeeping, thanks to for the remote moderator, helping us to deal with our remote participants. We have ISOC ambassadors who are very helpful here to thank. Of course, as you know, the golden rule is we want this workshop to be as interactive as possible. I would invite each of you to be ready and shoot your question.
Starting to my right side, we have Sunil Abraham. You are the director of Internet Society CI India.org, and thanks for joining us.
Here to my right I have Margo Steiner. You are from the Polish government, and digitalization and you are very active player in the current discussion on the protection in Europe and hopefully you will be able to say more about that in a few minutes.
To my left we have Alexandria, you are an executive officer from the privacy international, who is fighting for the right to privacy across the world. And you will be able to say much more about that in a few seconds.
Then should I present you Joal Alhadeff, in these environments you are the vice president for global policy and chief privacy officer with Oracle and you have so many hats, engagements at the highest level just to mention to start with, but in many other places.
Last we have Marie. You're an expert with the Council of Europe, so you will be the Council of Europe today and also a high‑level advisory the French data protection authority.
So let's start with the first questions, which I believe is the most expected question to a panel dealing with privacy. And it is why we are hearing about the revelation of so I would like to have each of you from your stakeholder’s group perspective to give me your views on that. And my questions, which is a bit more tricky, would be how do you feel one should restore trust after all of this, certainly in the privacy field. Who wants to start with it before I just take a volunteer? Is there someone? Please go. Thank you.
Margo?
>> MARGO STEINER: Okay. So let me start as a government stakeholder. It's not like the easiest place to be right now in terms of the NSA revelations. So I will start with the difficult one. So we had a lot of attention around revelations in Poland and being NGO's were very active and asking us to what extent we knew what happened and what extent we did to prevent it and so on. All those questions helped us to focus on what we're doing anyway to protect privacy. As Frederick mentioned, we are working on the regulation right now, and there is no better incentive for us and all the stakeholders to sit together in one table and discuss this topic right now after all the citizens realized what could be privacy if we don't have clear transparent rules about how we use our data.
So what we did in Poland is we clarified the rules that we have for surveillance in Poland. And we think this is a very important piece because, of course, it's always like a hard dilemma. On one hand we don't want to make it harder for police or for any secret services to ‑‑ we don't want to make it harder for them to help, for example, parents find their kids when they are lost, yeah? We don't want terrorist attacks to happen because somebody couldn't inquire about something. But on the other hand we do believe that it's a basic principle rule of law that those issues, those inquiries, have clear rules known to citizens.
This is something that we clarified for Poland, so we clarified our legal basis for this kind of actions and we are basically right now, of course, Poland is not associated with any types of behavior like that. But it also helped us to focus the debate on the general protection regulation, because we do think it's a good mechanism not to address the Secret Services themselves, but to address the general concern about our privacy on the Internet and how it is protected.
On restoring trust, like the first necessary step, there's no restoration of trust if there is no clarification. And I think this is something for which not only Poland is waiting, but the whole EU is waiting. There have been questions from Commissioner Reding to officials about the scale of the surveillance, because we hear from the press about what might have happened. If it is confirmed, it is a really scary thing and it's a potential threat, we believe, to human rights and to democracy as we understand it now. But we have received no clarifications ‑‑ no official clarifications so far. So there will be no rebuilding of trust without this issue being fully clarified and explained. That's the first step.
The second step is for us to think about regulations that could prevent it, also for all governments to think about regulations that could prevent the explosion of surveillance and could put it in a legal framework. And the third important thing is awareness raising. As citizens we need to be aware about what is going on, what are the potential threats, potential use of this data in the web, and who can ask for what information about us?
In a good case scenario, in a good case scenario, what is happening it is only really a government inquiring when they want to protect us from immediate harms and only when it's necessary. And that's understandable and that really requires a clear rules and controlling mechanism to make it legitimate.
>> FREDERIC DONCK: Thank you, Margo. Who is next?
>> SUNIL ABRAHAM: I'd like to begin by talking about the impact that Edward Snowden had on privacy policy development India. There was a process that was started three years ago and we have been through three versions of the process of the bill linked. Thank God for whistleblowers. And because several stakeholders were unhappy with the text of the bill, the planning commission of India asked the justice to work on a white paper that would influence the configuration of the bill. I was lucky to serve on that committee chaired by Justice Apishar. And we had the principles very much like on the similar lines of the European Union.
The next step was the Department of Personal Training was supposed to update the bill implementing the recommendations of the committee, they did so. Immediately after the Snowden revelations, we hear that they've decided to go back to follow laundering, to go back to cherry picking worst practices, to join the rest to the bottom, and all the safeguards in the interception and surveillance chapter have now been removed again. So that is the impact, the direct impact, of Snowden's revelations to India.
How can we trust? Perhaps this can happen only in a really painful fashion. In India we have exhaustive requirements for mobile and Internet users. There is also exhaustive data retention requirements for mobile, Internet, broadband, cyber cafe users, and all these databases are being combined by a centralized biometric‑based authentication and identification infrastructure called the ADAR project. So what we possibly need is an evil Snowden, somebody who leaks the national biometric database. Then the government will, perhaps, learn through dreadful consequence that it is very dangerous to go down this route and then there will be behavior modification. When it causes a crisis in your life, then you rethink tobacco use to the point you never take it seriously, even though you are very aware of the dangers.
>> FREDERIC DONCK: Joe, please?
>> JOSEPH ALHADEFF: I think as soon as he kind of points out and also Margo to some extent in saying that within Poland they looked at their own surveillance systems and looked at the way they were working, the issue is global in scope and nature. It has to be an intergovernmental discussion. They cannot be mutually exclusive. You have to have a way where you can figure out how to do both.
As a society we expect our governments to protect us, but we also expect them to respect us. We have to figure out a way to manage that. That has to be through a dialogue. It's happening in the newspapers. We see the dialogue from the EU that comes to the U.S. There are bilateral conversations between governments. We don't know what the outcome is. But the discussion is, at least seeming to be engaged at the moment, is part what is the program, what is it that you are doing in national level and then is it overseen? Because we understand that there will be security apparatuses in nations to help protect the citizenry, but they also have to be appropriately overseen and be held accountable for what they do. It's a two‑context process.
There are certain government things to express in detail because it actually may benefit those people who are the exact ones they are trying to protect the country against. Finding a mechanism to have the conversation so that it's meaningful so that it's not detrimental to the security of the nation is not reached yet.
There are some established instruments, even after the regulation. There was a concept that this would not necessarily prevent exchanges of information that were developed in the mutual legal assistance treaties. But what we have heard is those treaties can be cumbersome or too slow with information that is acting in a fast fashion. We may have to revisit some of the instruments or reconsider new instruments in which you may have a structured way of exchanging information, so that you can assure that protections are in place and have reasonable association associated with them, but are also appropriate in order to achieve the job that needs to be done.
So I think we have a lot of moving parts. We have an ongoing process. Hopefully the process yields fruit. At the moment we are at the stage of looking to see what is going on and trying to understand how it's working. And I guess we should all be participants in the societal dialogue, observers of the governmental conversations, and evaluators of what comes out of the process.
>> FREDERIC DONCK: How can we trust governments? But there was some consumers start distrusting some specific businesses. What's your take about that?
>> JOSEPH ALHADEFF: The response was in response to legal requirements to provide information. Businesses operate in countries and countries have laws. The same way you would have a business operating in Europe would follow the European laws, also in the United States. That would apply to an American company. This is why it's so important. It's the structures of laws that have to be complied with. You have to manage that. The expectations of that compliance will actually help also to inform trust.
>> MARIE: I will tell you here what I have been asked to say last week in the Council of Europe where was the meeting of the convention committee. You know that in the world there is only one international binding instrument. It's Convention 108 open to third countries and some countries are coming from outside Europe, Uruguay and Morocco, at the rate of new states in the world having the protection on the same kind of principles because they have been always the same since the 70's is raising very fast. Now it's 101 countries. Sorry, because U.S., we invented the principles in the 70's, did not apply it only in certain laws.
Snowden, so what I said, first we have to analyze what was the end. Was it antiterrorism? In my view, no. It was spying for economic purpose, and I could give concrete examples on political spying. So this is completely against the rule on international level.
You cannot spy another state. It's against the sovereignty. That's first. What to do? Well, there is, of course, the political level, huh? The political level what the states will say to America for this moment. They are asking as our colleague say, clarification. Clarification? We all know and we knew even before, at least since 2003 and 2008. And I can also say what we heard. But we didn't do anything at that time. Now because the proof are there, we think that we have to. It's a question of respect of ourselves.
So there is the political level. After that there is certainly economic and industrial level. Of course, some countries are going to think everything should not be on Clouds, which we don't know where are the servers. You always know where are the servers. Even the U.S. government for years has been saying when they were asking for contracts on Clouds, the servers being in United States. Of course. Of course.
So I think our government will for the next years do things and I know that some relationship taken in Europe between different countries to set up some Clouds that won't be spied with the U.S., laws which are completely with fees. We knew since 2004 that an American enterprise which has other affiliates all over the world, they had to answer questions to their security services if necessary from everywhere.
On the legal level, I would like everybody to think a little bit and we don't have the answer today. Is it normal that a state can take that down which has no link which is territory? Not the persons? It's only transiting or located because of the processor, but no other link? This is the problem. I will tell you that since '95 Europe said that the data protection directive, I have been involved in it, even the privacy legislation on that it is transit only. So think about that.
Now, of course the European parliament is making a huge investigation. We are waiting for the result in December. At the same time I have to say the U.S is going to have its own report on the situation. In the Council of Europe on the Convention 108 ‑‑ well, it is not published yet. They are thinking of an opinion. They are writing by e‑mail and making to say to the Council of Ministers to insert within the Convention 108 in the article related to limitation of the rights all the criteria on the interception and everything that the Court of human right in Europe put through his jurisprudence. So it must be laws in which you have the object. You want to stop, I can stop? If you want to know the next, you will ask.
>> FREDERIC DONCK: We will address this. Thank you. I'm trying to have ‑‑ then you.
>> So you understand the concept in which we're working. We're the first international organization to work strictly on privacy issues. And our work involves working on an array of issues and with different professions and sectors to advocate for strong national, regional, international frameworks to protect the rights of privacy and data protection.
So that's our main goal in terms of the question asked by the moderator. So for us, we've really seen the impact of Snowden in the revelations in terms of really an acknowledgment and proof that there was real time and mass surveillance of citizens by their own governments, also by foreign governments. And for us, it's been really a challenge in terms and it will help us in our work to show that it's beyond the proportionate necessary and permitted by law limitations of the right to privacy.
Already these three elements are often contested, but the actions taken by governments in the surveillance and the revelations have shown go well beyond those three principles. It's gone beyond just the mere collection and retention to use for specific purpose. But now it's about retention if one day we need a case, which leaves broad violation of human rights which can occur now, but also in future.
And that's really for the right to privacy of individuals, because there's no way for them to know when the data was used and by whom and no possibility for each data owner to give consent to the data being used. These are really wearing.
In terms of the trust, I think there are two aspects to that. We have to see how transparent the governments who were put in the limelight have shown. How much are they actually telling us? Are all the revelations actually the whole story? If we start working on international principles to address the issues they imagine were made public, do we really know that they'll address all the problems?
Another element, not just governments and citizens, but between states. Governments didn't know the NSA was spying on them. The EU was attacked as well. I think there is a real problem to work on trust relationships, that level, as well for us to move forward. How can you expect states to have a dialogue together if there's no trust? So I think that's an important element as well.
>> FREDERIC DONCK: Thanks very much. If any one of you have a question, please raise your hands. If not ‑‑ well, the discussion and dialogue is really an important issue and I would like to start with some of those. Margo, you mentioned, and I appreciate it and thanks for your openness. You mention what it is that you feel governments should do to restore confidence and trust. I would like to have your talk about precisely what's happening now in European Union. Does it provide us with the protection? I know you are being extremely well involved in the process. So could you say a bit more about that?
>> MARGO STEINER: It will continue the answer to my previous question. It has been a regulation largely ‑‑ the political motivation to finish the work of this regulation is much bigger right now. And there has been some changes to the directive that immediately reflect, I think, the revelations. This is the article 43 A which was introduced into the regulation that will limit to some extent or will give European authorities or data controllers the right not to give out personal data to third countries unless there are requirements fulfilled. This is something that we don't have now that will allow us a reaction or that will allow us to know to request by certain governments if we don't believe that this is the data we'll stay under control. So this article has been already introduced to them general data protection regulation after the prism revelations. And I think it will stay there.
Another sign how it helped us mobilize was the fact that just on the 21st of October, I think it was Tuesday, the particle limit has voted and agreed on the data protection regulation, although there were 4,000 amendments to it. I think this is one of the records.
4,000 amendments that the commission had to work through. And they managed to agree on that within a very reasonable time period. Now they will be negotiating other possible changes within the trial process. And we actually hope that it will be possible to agree on the final wording and final shape of the general data protection regulation until the end of this legislative period, which is in spring of next year.
So this work is going fast right now and we would really hope that it will keep the space. Today and tomorrow we have European Council meeting, which is a meeting at the level of head of states. So head of states are sitting right now or maybe in a couple of hours because it's really early in Europe. They will be sitting today and will probably be discussing which recommendations to give to the commission and to the member states in terms of digital agenda. And we hope and we expect that one of those will be to finalize quickly the work of this general data protection regulation.
And let me tell you why we are so much in favor of this regulation. First of all, we are having like a big dialogue in Poland right now with private sector representatives with NGO's and with ‑‑ well, actually it's a very open dialogue. We try to involve users and try to involve students and young people. Around what kind of data of privacy protection they want. And it's a very open dialogue. And it's only possible right now because we have this carrot, namely this regulation. So we were able to bring to one cable many very busy people who would otherwise deal with something else to discuss how they imagine a good regulation, that would be open for interpretation and has managed to bring them together only because of the general data protection regulation because it has immediate impact.
We can have immediate impact on the shape of the regulation by bringing in the input from our stakeholders. So we have this dialogue. Actually, it was pretty clear from the very beginning that all stakeholders are in favor of one regulation for Europe. So it wasn't sometimes it seems that business might not be so much in favor of it, but actually business in Poland, maybe American business could have a different opinion on that, but when we talk to people who are involved in business also close to data protection in Poland, they are really in favor of it, because they see it as something that will also enable them to easily expand the businesses in other countries in Europe.
Why? Because previously in current law is basically shaped by the directive from '95. In the year '95 it was 11, I believe, and that's our current law that was then transposed into laws in member states. If you're a company, a start‑up in Poland, and you want to expand to other countries, you have to stick to the regulation of Poland that is based on this directive from '95. And then you have to have a look how this directive has been transposed in 27 other member states, which basically limits the market for startups from 40 million for less member states. It is quite a barrier to adjust to other regulations of the data protection.
So businesses are interested in having one regulation. They are also interested in adjusting current regulation to the digital age. Because right now we have a lot of bureaucratic obligations for companies that make no sense, and whereas companies think we need more efficient rules that would also help the companies preserve trust, relationship with the customers.
So they are interested in working together to find out those rules and let me just tell you some examples of the rules that general regulation will clarify. And this is, for example the definition of data protection, of personal data. The definition of personal data.
So in '95, personal data was probably name, address, something like that, yeah? Right now in the digital age it is much easier to identify a person based on other information. So we are not saying that ‑‑ so we are saying that the definition of personal data must be much broader and it must be all information that allows for direct or indirect identification of a person. And this is a key adjustment and very needed in the digital age. It's obvious to all of us who know computers and how much easier it is to find or identify a person based on sometimes random‑looking data.
Another thing is a clear rule for profiling. So we don't want to restrict or prohibit profiling, but we want to make it clear on what rules companies can profile and what consequences can come from profiling for consumers. This is also clarified by the directive. I will not go into details, because I got a yellow card already for speaking time.
So I would just mention the first change that this regulation will introduce, and this is so‑called one‑stop shop, and this means as a citizen, consumer, you will be able to go to your regional data protection agency if you feel that your rights are not being respected. So this is, I think, a big advantage for many consumers who right now we had this famous case of a German student who had to fight in court with Facebook because he couldn't do it at home and for some consumers it is important to be able to speak at home to the potential complaints.
I will finish on that.
>> FREDERIC DONCK: As always, I need to be just a bit rude with you. I really regret it. I really regret it. But the time is what it is.
We have a question, but before I give you the floor, I would like to start from exactly what you said. It's really a good starting point. I'll turn to my right and to my left. But I would turn first to my right, Sunil. How this conversation in Europe, actually, does impact your life India?
>> SUNIL ABRAHAM: If you look at the title of our workshop, Privacy From Regional Regulations to Global Connection, then one would assume that it would be regional privacy principles like the epic privacy principles. You would be making the assumption that human rights, like in Europe, is the driving imperative for policy driving India. You would be wrong on both of those counts. Because it is trade rather than human rights that is the primary imperative in India for driving privacy policy development. And because trade is the primary imperative and the European Union represents one of the main markets that the Indian outsourcing industry is interested in, citizens of India will have the right to privacy protected thanks to the lovely people in the European Union. That is the reality.
So we decided to work this. We had a meeting with Libel, the ED of the Justice European Commission. And we had informal meetings with Article 29 working party. Then we decided to do it IGF style, have multistakeholder dialogue. Since the government was not drafting the bill in an open process, we created a fraudulent civil society bill. Then we recruited two very important corporate consortia in India, the Federation of Indian Chamber of Commerce in Industry, and also the Data Security Conference of India. DSCI is the self‑regulatory organization for the outsourcing industry in India.
We had seven roundtables over a period of four months across the country. The last roundtable just before I caught the plane, we had the constable from the Netherlands, also the chairman of Article 29 working party, Christopher Graham, who supports the chairman of Article 29, both the information and privacy commissioner from the UK, and Chantelle from Canada, the deputy commissioner.
This discussion, even though it is around a fraudulent bill produced by a completely irrelevant civil society organization, the organization I represent, the civil for Internet Society, has thankfully raised the quality of discussion. Instead of saying silly things like Indians don't care for privacy because on train journeys they share very intimate details of their life. They're actually discussing details of the law, because we cannot swing it 100% from zero to horizontal statute to overly aggressive regulation of the industry. We want to protect innovation. Citizens benefit from innovation. And the end results we've lost all our friends. So civil society accuses us of selling out and having a completely weak bill that allows the industry to do whatever they want. And our industry friends think that we are in some kind of conspiracy to overregulate them.
But at least the quality of discussion has improved. Before I end, I'd like to say all of this is supported by Privacy International, thanks to their money and international support. We're able to drive this process in a credible fashion in India. So this is primarily the regional impact. It's not the region where we come from. It's some other random region. We're very grateful for it.
>> FREDERIC DONCK: Thank you very much. I would like you, Joe, to take it from here, actually. We're hearing about impact of some regional regulation or conversation in different part of the world. So what's your take as a business, actually? Are you happy we have this? And I thought that the conversation shifts from harmonization to something else. So could you say a few words on that, too?
>> JOSEPH ALHADEFF: Sure let me first specifically respond to one region since Margo specifically questioned whether one company would be happy as Polish companies would be happy. I think if we looked at the intent of the bill when it was being drafted to have a more effective privacy regulation to lower burdens, enhance consumer trust, enhance user participation, all of those were shared objectives across the stakeholders. I think when you look at the concept of a fragmented directive implemented differently across all of the member states; that was never something that business welcomed. That was something business always opposed, especially when you have the level of detail that some of the legislation got into including at least one economy suggesting that there should be an eight digit alphanumeric passcode in order to be privacy compliant. That is not actually helpful.
So I think that concept was well supported. I think the idea of the one‑stop shop has morphed as articulated by Vivian Reding, because interestingly, companies had introduced the concept that the one‑stop shop, which was ‑‑ and this is why it's beneficial for the companies to have one regulator to go to.
The reason why it's beneficial is that that regulator gets to know you over time. The investigative process becomes actually a much more logical process than because they have an accumulated knowledge over the company over a period of time. The fact that the regulation is a regulation as opposed to a directive, it's not transposed into a national law. It's harmonized.
The fact there is a consistency mechanism to make sure the law is applied in a consistent fashion means that you don't have data protection commissioners who are outliers. Industry, however, did raise the fact that we are concerned when talking about a one‑stop shop for industry, you actually in some ways disenfranchised the data subject. Clearly the data subject should always be able to go to just their data protection authority. Therefore, the same way a business can go to its data protection authority based on its locus of operations, the data subject should be able to go to their data protection authority and somehow you should have a conciliation process between those two in the context the investigative resolution.
The only other concept on the details was the definition of personal data is fine except you have to also look for the unintended consequences. This is where I think business is, perhaps, reluctant with where the regulation is. Not with its objectives, not with what it wants to achieve, but in its detail.
Because, for instance, under the current definition of personal data and the directive, an IP address is personally identifiable information. Now, to be honest, this has been something that has been established in most DPA's across Europe for a while. It's not that this is news. But the unintended consequence is the IP address is used for security verification in a number of cases, whether it's virus checking, adaptive access.
If you need to get consent to use it for that purpose, you could potentially undermine some of those issues. The question isn't whether the concept is okay. The question is do we have unintended consequences in the application of the concept. And that's where a lot of the discussion has entered. It's not the main principles of the regulation, because in all honesty, the main principles of the regulation are very similar to the principles of the directive, which is universal principles that exist.
The question is at the level of the details and their level of implementation. To get more to the question you asked me, so the concept is the regional implications. As Sunil pointed out, under APEC there is the concept of cross‑border privacy rules. I'm gonna say it out loud once, but then I'll call it a CBPR after that. Under the European Union, as a concept under the directive and more firmly established under the draft regulation, there's the concept of a binding corporate rule. Both of these are ways in which companies can share affiliate ‑‑ can share information across affiliates through a set of rules that are overseen by either a designated agent or an authority in the case of APEC.
It's a designated agent that is certified by an authority and to which an authority stands over them. In the European Union it's directly by the authority. But the BCR and the CBPR have a lot of commonality besides just the letters in the name, which is confusing.
That commonality is now the subject of a work product between APEC and a number of European players: the CONEAL, the ICO's office in the UK, German Data Protection Commissioner, EDPS, European Data Protection Supervisor, and representatives of the commission. What they're doing is they're saying let's look at a CBPR and let's take a look at a BCR and let's do a mapping and see what kind of overlap there exists in the requirements and the level of validation across these two systems.
While they haven't finished the mapping yet, the best guess is that it will come somewhere between 70 and 80% overlap of commonality of obligations.
And so the answer is this isn't mutual recognition, because the answer is you're not doing everything the other person is doing, so you don't get credit for doing 100%. But the question becomes how do I give you credit for doing the 80% you do so you don't have reinvent the wheel on the 80% and figure out how to you prove the other 20% that you're not doing.
So the idea is to create efficiencies, as Marie George pointed out, we don't have a UN creating a global norm. While we have global principles there isn't a global law. So the question is how do we start to have interoperability across systems such as the European Union does with adequacy. How do we have that across where we can streamline the complexity of compliance, by which the compliance will be judged or the requirements that are inherent in that compliance, because you're still not saying that 80% is good enough. What you're saying is we'll give you credit for your 80%, but now we have to figure out how you do the 20%.
That part of the process has not been defined. They're still trying to figure out how to get to that part of the process, because they haven't finished the mapping. But as far as I'm concerned, that interoperability is a practical solution to what is a lack of global harmonization. It's not likely that global harmonization at the legal instrument level will happen anytime soon, so it's a practical step of how to move things forward without diminishing the standards of privacy by creating some greater flexibility in how we adapt to them.
>> FREDERIC DONCK: Thank you, Joe. You have opened so many and I'm happy you address the issues. It will nicely feed to my next questions. Before I get there, we have some question from the audience, so please introduce yourself and ask your question.
>> Joe explained a lot of the interesting things which I was very interested about this global harmonization process. And then probably if you can add, like, I'm wondering whether EU, like CBPR in this kind of my second question with Nigel Waters ‑‑
>> FREDERIC DONCK: Nigel works for privacy.
>> Yeah, yeah, Council of Europe. I found her intervention ‑‑ presentation was very interesting about this Cloud service and the data and especially from the sovereign countries, the national government. And so a lot of the governments these days, are they, like, forming the task force about the privacy, including Korea, which one of those task forces on privacy now? And they are interested in, you know, how countries around the world now are responding to this kind of sensitive situation where most of the Cloud service, the servers, are located outside of their country. And under this situation, they cannot really force people not to use a certain ‑‑ the social networks like Facebook and YouTube and the Twitter. On the other hand, they are very concerned about the data being controlled by somewhere elsewhere they cannot have any control over.
So under this situation, what will be the role for the government and what will be the role for the other stakeholders, like including the civil society and other sectors. Your response to this would be highly appreciated.
>> MARIE: I don't know if I can answer directly to that question. It's an industry thing. What surprised me is that, of course, with the Snowden business and I have been writing with others a petition to support with very high ranked French person. What I see is that in the global situation, the users of the Internet are not that much shocked. It's amazing, because now it is in the hand of everyone every day. Excuse me for the word, the "regular" people, they still go on Twitter and others. It's more the political society. Those like you and me and so forth. So it's not that good for the moment. We talk about dialogue and everything. We have been completely spied and we talk about dialogue: It is a little bit unbalanced.
So that's the real situation. I'm sure U.S. is going to stop certain things, but not everything. And that's why I think we have to work a lot on our national legislation and international or so up to which point you can use mass surveillance tools.
All that said, we need those tools for security. We don't want to ask the consent. I'm sorry, under the data protection principles the purpose of security of your own system, I'm not talking about the security of the whole world, where you spy everywhere. No. The security of the system of information which for the moment require some very intrusive tools is perfectly legitimate purpose. You don't need the consent of everyone for that.
I add that there is a need of those people in charge of the security of the system to be protected by a confidentiality duty. So the head of the enterprise of the government won't ask them to follow another person, okay? Then, control for the sovereignty of all this. And I can give you the list of requirements. It's quite long list. You have to put in the law. This is a democratic requirement. You have to have a law to say in which cases for national security purpose you need to make some surveillance.
You have to put who does that. You have to put down which means. You have to put procedure of control, both except in urgency, and then there is a report to the parliament and the public under which breach there was a need of surveillance, how many has been accepted, how many case have not been accepted by the independent body, how many case, and the control after the result and the recommendation for further.
This has to be done. We think that in the Convention 108 it will be put and it will be put under the directive. It is already some part of that is already in the regulation of EU, which is under consideration.
I have to say also that more broadly, and data protection principles and application to be efficient, there is a need and not only those who collect your data, but also those which produce services and those which produce products, Smartphones and everything, has some duties. All the principles that relate to the phase of design that what they're doing should be put inside, this will be in the modernized Convention 108 or so.
Under one‑stop shop in the EU, I would like to say that in practice, and it will reverborate a little bit, data processing is always surrounded by some laws. For instance, you should take how you are paid. The rules to make your wage, many lines. There is no one ‑‑ there is no two member states in Europe where they are the same requirement. So they are always in Europe, local things. So, of course, the DPA of the local who knows the laws will be in. That's of course. And I saw some draft that will take care of that. Thank you for everyone.
>> FREDERIC DONCK: Thank you.
>> JOSEPH ALHADEFF: There was a question in there for me as well that I wanted to answer. So the GDPR is obviously being considered in the APEC process because the concept of the binding corporate rules that they're working on while it exists under the directive, it much more clarified under the draft data protection regulation. And I would have to believe that the EDPS, the ICO, the CANNEAL, and the German data protection commissioner are looking at the definition of binding corporate rules under the GDPR, not just how they are working currently under the directive as they're doing their mapping.
So I would presume ‑‑ I mean, I can't speak on their behalf, but I would presume that they are looking at the instrument on the table as well as they're doing the mapping and understanding what the requirements would be.
>> I want to add something.
>> Beyond the data protection laws, there is a need to ‑‑ regulate the way governments are deploying and using surveillance, technologies. It's now been signed on by more than 200 civil societies organizations. We launched in September 2013 the principles on the application of human rights communication surveillance. And they were presented at human right council. They're welcomed by a number of member states, and it's really important that these laws are not meant to be ‑‑ these principles are not meant to be new laws. They are already laws in place which should already protect citizens, but they're not enforced.
We want these principles just to be used as benchmark by governments as they are reassessing and reviewing their surveillance policies and laws following the revelations about how they are gonna take the issue forward and how they're gonna get the trust back of their citizens.
One of the first countries to have responded positively to these principles is Sweden, who last week at the conference in Seoul put forth seven principles that they're going to push forward on. The 13 principles were influential in its own surveillance systems. So their seven principles out of the 13 we had are legality, legitimate aim, necessity, adequacy, proportionality, judicial authority, transparency, and public oversight. And I think these seven principles have come up in the discussions today about data owners having a body to go to get redress in violation of their violations.
And every step of the way about why they are collecting this data, what it's going to be used for and to justify that to citizens. So I think it's really important to maybe take initiatives like the one we've tried to develop was a group of organizations to push the issue forward, because we all know there's no point in imposing on governments, because from civil society they're just gonna ‑‑ they're not gonna take ownership of these principles, but just to work with them, to raise awareness about the human rights impact of their practices and see how we can push that forward. So we hope Sweden will lead the way and that other governments will push in that direction as well.
>> On the same line, yes, on those principles had been written in a comment 16 in 1988 at the UN, according to Article 17 of the pact.
So we are still on, and maybe this time we will do it, except everybody has to respect and who is going to control on the world level? That's the problem. So we have to go up to that because we knew since the beginning that with computers you can do things on the right side or a very bad side, surveillance. We knew that from the beginning.
So up to now we are the data processing with all those principles. Now we need to have commitment of everybody, not to go on the other side.
So it means also that when there is cooperation between several intelligence services, this contract must be allowed by also the independent body which controls the interception. That's very important.
Also, there is a principle which is that the person who is intercepted is monitored, must be informed as soon as possible. Everybody forget that. Of course, huh? When is it possible? But this principle is very important and democracy.
About BCR and the relationship between APEC system, CBPR and the BCR, I know the logic of BCR, because of the contractual services that have been invented by France in the '80s.
Okay. Why we had to put in Europe this BCR with a certain level of protection. And why it is not the case in APEC. Because when the APEC ‑‑ for the moment, as the president said since the beginning, all these instruments on the international level, whether binding or not, they are compatible. But some are higher than others. And it's the case in Europe and of the convention. But maybe you're interested to know. In the privacy principle of APEC, they have been adopted right after the Safe Harbor agreement between EU and U.S., which is under consideration now because of the mass spying which came up.
At that time U.S. accepted to give up two things: The right to use publicly available data for free, I mean, without any other consideration; and the other one is the HON test. Europe could not accept this. There is no public available data as such. You have to respect it. So these two things are in the APEC privacy from 2004.
Now, in that region you have countries with laws. Canada, New Zealand, Australia, for years and years and years. And so when they saw those principles, they said well, we have to get in and make our laws recognized. So in the APEC system arrangement, it is said that you have to respect the laws when they are.
So we go back to the beginning to the need of international agreement and that's all, because the principles are the same. Sometimes for political reasons, some industry were able to push and to lobby in a way which interested is against them, long‑term benefits, I am sure.
>> FREDERIC DONCK: Well, thank you. Again, I like the discussion and conversation the way it goes now. I would like to continue on that basis in the principle which is described. I know there are several questions in the room. I hope it goes in the same way. Gentlemen, you were asking for question?
>> It was responded to.
>> FREDERIC DONCK: Wonderful. So who was next? This gentleman, I guess. Right?
>> MCS, UK, working for IT. I'm not sure I'm going to continue on your line or not, because one thing I thought I was coming to was something to do with how regional ‑‑ oh, we got a nice echo.
>> FREDERIC DONCK: I will give you my mic.
>> It might be the way I'm using it. I thought we were going to be talking about how regional will translate into global. And in listening to Sunil, and what in effect I know I'm overstating this, but in effect a rather cynical way of dealing with something that wasn't entirely a grounds for within, but responding to a need to do business with the EU. I wondered about cultural issues and how they would affect even if you did have any sort of correspondence. For example, there are cultural differences even in Europe, as we know.
For example, I'm not defending it, but the way that the UK implemented the directive was very, very different from the way Germany directed it, so that's how the conversation came about, obviously. But I wondered, you know, the APEC principles, for example. How do they resonate culturally in places like Japan, the Philippines? How do they resonate in India? What about South America? The regional aspect seems to be a bit missing in what we're doing.
>> SUNIL ABRAHAM: I think it was, perhaps, four years ago when I met the director of Privacy International, and I told him that privacy is not an issue in India. But after that, the government of India has ruled out several surveillance projects, starting with the UID project, then the CMS project, and there were some very high‑level leaks of interceptions, data, very important businessmen in our country made available on the Internet, published in national magazines. Overnight something that was completely not an issue for India became an issue for India. Civil society began to complain loudly. If you just look at social media today and use keywords such as UID, CMS, you can see an issue complaining.
I completely take your point that there is cultural relativism. I'm not saying it's completely absent, but it isn't the case that for Indians, there is none at all. Islamic law, pre‑colonial law during the Mogul time, and I'm quite confident we will demonstrate that across centuries privacy has always been a concern. Perhaps we don't have the exact term and perhaps we call it different things, but definitely there is a larger and longer history to privacy policy development in India. It is not just something that is emerged after the Internet.
So how then will we implement this cultural difference if we are going to adhere to global principles? That is the complicated question.
Providing detail about HIV AIDS prevalence at the level of a village may not cause any harm in Europe, but in India, if HIV AIDS prevalence data was published at the village level, there can be stigma and discrimination.
So there are tests that will be applied by judges, the HON principle test, the public interest test to balance the right to information versus the right to privacy, and it is in this tests that the cultural difference will show.
So I'm relatively confident we can globally harmonize differences without globally harmonizing differences. This is assuming that law enforcement agencies and the judges get up to speed. Your concern is very real.
>> MARGO STEINER: Your answer was very informative and it was very ‑‑ deeply rooted in your culture that you know and it was really great. But I just wanted to reflect quickly on the examples of the cultural differences that I tend to hear at a conference like that, that I might repeat but I want to reflect on them. So usually you would hear examples like, for example, I don't know, that there is cultural differences because, for example, France in German, they are not afraid of going naked to the beach, but they wouldn't like their payment data to be released and things like that. And it's a little bit trivial to some extent, because I think so this is like the little differences that you may name. Actually, I don't imagine they change a lot to the core of the regulations that we are talking about.
And the core is usually to give the people the chance to remain in control of the data. And it's to be able to agree and to be able to remain in control of what is happening of the data. And in there I don't feel that there is big differences between regions, where I do ‑‑ what surprised me the most and where I see the real difference, rather about balancing different values, was the reaction to prism in Europe and in the U.S. Where in the U.S. it was really visible and prominent that many people didn't mind because they thought the security issues are so important and they didn't really see the relevance to democracy and human rights protection the way we saw it in Europe. So that's something that I thought reaffirmed what tends to be said about the different roots of privacy in Europe and in the United States.
>> FREDERIC DONCK: Thank you very much. Can I continue the line and then you, gentlemen?
>> Just a quick comment. On the cultural and maybe regional differences, I was in Senegal a few weeks ago in West Africa. It is an element that came through very strongly. It's not that privacy is not an issue. It's just that it's interpreted differently and that has to be reflected in the national regional context. ECOS is working on a data policy protect legislation framework. At the international level, the organizations are pushing for this cultural aspect to be taken into account because if not, the people themselves will just reject even the very fact that they have rights, saying this is not linked to my reality. That's something that is talked about. It is very reassuring that even the people advocating for privacy are taken into account this cultural differences, but not eliminating the fact that privacy is a concern.
>> FREDERIC DONCK: Marie.
>> From my experience on 40 years and from international level, I can say that the basic principles and legitimacy, they are felt in situation exactly the same. I was astonished to read reports from Japan in the '80s. I could have ‑‑ I wrote exactly the same on the same topic.
Now, what are the real difference? What is sensitive data? In South Africa, south of the desert, the name of your mother has to be really protected, because it can be ‑‑ you can be touched through your mother if something is going back and forth. So it's about the only thing I found as sensitive data difference from of course sensitive data also has some differences in Europe. Just like the political opinion in France, it is normal in German I and those countries to be a member of a trade union.
It's no problem. You even pay on your wage in Germany. And even the money you give to your church is taken from your wage. This is impossible in France. So there are some differences like that that you have to take in account. That's what the one shop business can maybe work, but not everything.
Now, the huge difference in my view is on the question of right to speech. Here, yes. Clinton, the business with his girl, was shocking for all data protection commissioners in the world. And we even took resolution on that at the time. We were shocked. The fact that all the Nazi sites are in the U.S. is terrible for Europe. So under the freedom of speech, it's true that there are very huge differences. And decency, same thing. It has something to do with freedom of expression.
So on this topic, yes. But on the basic question of data protection we call it normally, no. What about ‑‑ why I am really for world discussions. When I hear India, it's incredible to hear because now I'm sure we could agree with digital fingerprints, DNA, your project in which a French enterprise, the leader of the world on digital fingerprint is we had to fight for years and years up to the constitution in order to get rid in France of national database with eight fingerprints, not ten, because ten that's surely police, but eights because you are 60 million. So I said to political people, what about the Chinese and the Indian? I guess their feet won't be enough?
(Laughter)
>> JOSEPH ALHADEFF: Because the question was how the APEC economies managed it. The APEC was twofold. It was elaborated beyond the guidelines were restructured more along the concept in the PIPDA Canadian privacy law. It's something inherent in the APEC principles.
Just because that concept is you have to apply a law in context and that was one of the ways you consider the context, but harm was not meant to be merely financial. So you could have a harm based on collection just like you could have a harm based on use.
So that was the way that went. But a lot of economies in Asia Pacific that are members of APEC, Asia Pacific Economic Cooperation is essentially economies that have a Pacific coast. Sometimes you don't think about the fact that Russia is there; parts of South America are there.
So just to round out the story, so a number of those economies didn't really have a position necessarily at the beginning of that on privacy. A number of them, New Zealand, Australia, they already had laws relating to privacy. So part of the work was capacity building. Part of the work was outreaching to those countries that didn't have a law to say you may want to consider these principles in developing a law. And we used to do workshops on capacity building to help economies think about how these principles could be applied in a law.
The other part then became practical. So that's where the CBPR's came in. So the concept was you have companies within these economies that are exchanging information. How do we raise the bar to make sure that the exchanges of this information are at least compliant with the APEC process? And so the CBPR really deal with when you get to an international transfer. They do not deal with what happens in country. So, for instance, if you're in Australia and you are collecting information in Australia and it is maintained in Australia, then you are subject solely to Australian law.
What happens in the CBPR is it's created a system whereby a company has to be ‑‑ has to participate. In order to participate you have to be vetted, and you have to sign up to the level of protection. Then you are overseeing either directly by an authority or by an accountability agent. That accountability agent also has to be vetted in order to participate to demonstrate that they have the capacity to enforcement the last thing is economies that wish to participate are also vetted and demonstrate that their law is in fact sufficient as well. So it's a three‑tiered version. If you think about the Asia Pacific, there are different cultural aspects or different legal aspects. There are different levels of development and adoption of laws. So what happened was we built a Pathfinder. A Pathfinder is APEC‑speak for a project where people can join so they can move along with the project but don't have to commit to all of the projects yet. 16 of the economies were part of the Pathfinder project to develop the CBPR.
So in essence, the regional network has kind of grown over time of people moving in this direction. And the interoperability, both within the APEC there has been the not necessarily an enter operability of instruments.
>> FREDERIC DONCK: That is very nice. It might be one of the conclusions of today. I'm really afraid we are running out of time. It's 12:30. We are just starting this conversation and it's already an hour and a half. He have to finish it. Before I do that, I would like each of you in just ‑‑ well, one line and you know me, and I will be extremely rude. We are all consumers, too, in this room. So what would be the take for a consumer here in this room if he needs to remember something? In terms of whatever trust or new role in this new era? What do you want the consumers to know?
>> So I think the consumer should try to read terms of services. And you have a lot of impact on companies, how clear those are. So we can ask the companies to innovate in terms of delivering as clear instructions with pictures. They are able to do that and we just need to ask for them because I don't think it is the rule of law. Law would not allow companies to be really clear and communicate, but consumers can.
>> FREDERIC DONCK: Next.
>> SUNIL ABRAHAM: Consumer should know that Snowden's revelations won't just lead to the acceleration of globalization of ICANN oversight, but also the acceleration of privacy policy harmonization.
>> FREDERIC DONCK: Thank you, Sunil.
>> Just the point about users. Also acknowledging that they have a right to privacy and they have the possibility at the moment. It's limited, but to enforce themselves their own right to privacy by opting in, opting out, reading the small characters at the bottom of contracts, and paying attention to that sort of thing, and also paying attention to what they put on Facebook and Twitter.
Also, I think it's important to raise awareness about what exists in terms of reparation now. There are already data protection commissions that they can approach. And I think it's really important for individuals to go forward and find out what rights they do have.
>> JOSEPH ALHADEFF: I think one of the things is too often we use the word "balance" when we should be considering how to optimize. It's not a zero sum game, the whole be larger than the sum of its parts. And I think the other thing as look at what might be long term solutions, we there are solutions that help bridge some of the systems without diminishing the standards across systems.
>> We don't think that it's the fault of users that they're not aware of these things, that their rights should be violated. There is a responsibility at the high level. So just to make that clear.
>> MARIE: Act towards your friends, relatives and so far, in a way that they get the reflects. Once you understood something in privacy, then in all cases you can do it. Get the reflects. It's not awareness. Awareness is flat. Get the reflects. Then the practical solutions that you have to invent every day, but you have also to see the long term.
In the long term I am quite afraid, because the balance between security and privacy is always very unstable in a country. The country can derive from more democratic to nondemocratic. And think of what you do when you have a database of 6600 million of people India with all their fingerprints, face, and everything in the database. This is where the world would change, with mass surveillance and a possibility to resist to anything which is going on. No, so there are everyday solution and they are the long term of which society we are building with nice IT, bad IT's, or those connected to your buddy. It's like being in the villages.
>> FREDERIC DONCK: Thank you very much, Marie. Thank you very much, everybody. Please help me with clapping with this wonderful panel.
Thank you.
(Applause)
>> FREDERIC DONCK: I hope we continue the discussion. Thank you.
********
This text is being provided in a rough draft format. Communication Access Realtime Translation (CART) is provided in order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings.
********