The following are the outputs of the captioning taken during an IGF intervention. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid, but should not be treated as an authoritative record.
***
>> GRAZVYDAS JAKUBAUSKAS: Around the table. There are enough places. Please. Dear participants, welcome to most likely the last session today for the closing of the IGF Forum, Open Forum on data and the title of the session is data as new gold: How to avoid gold rush and create value for all. My name is Grazvydas Jakubauskas. I'm from the commission, director general on international partnerships. And I will start with a very short introduction of our panel, both on site and online. We'll have some 30, 40 minutes with our speakers and some 20 minutes for your questions. If any, I hope.
So let me very quickly introduce the main focus of our session today. So the session is on data and its benefits to society and how can we benefit from the data at the same time retaining of human‑centric approach, mitigating risks and succeeding and closing fortunate digital gaps and additional divide.
So let me now present you all the speakers of today's conference. Some of them would be visible only a little later on the regime. So I will start from my right‑hand side. Mrs. Chloe Teevan, she is head of Digital Economy and governance at ECDPM. On my left‑hand side, Mrs. Bridget Andere from Access Now, Africa Policy Analyst. And Mr. Johannes Wander, policy adviser on digital development and innovation at GIZ African Union Commission, local, I should say. And we have three online speakers today as well. Ph.D. Marek Havrda, deputy minister for European Affairs, CZ presidency. And director from privacy and security at Digital Europe who will be joining us also online and Mrs. Maria‑Rosaria Coduti. She is policy officer for data policy and innovation, also from European Commission from DG CNECT, general communications.
So let me very quickly start with the first speaker. So I would like to pass the floor now on to online regime where the of European affairs. Do we have Marek Havrda with us? Vice minister, do you hear us? It seems that we have some technical problems. Oh, yes. We see you, Vice Minister, but we can't hear you. You are muted. Can you say something now? It seems that we have some technical problems. Okay.
Let me, then, start with another speaker. I will briefly present him, because I don't see also the representative of the European Commission joining us. But I hope that we will manage to get her later.
So let me briefly present the first speaker who is Alberto Felice, director for infrastructure, privacy and security policy from Digital Europe. And digital Europe is Europe's leading association for digital and digitizing industries. Its members are 41 national trade associations from across Europe as well as 100 direct corporate members, representative, 45,000 companies of all sizes. Digital Europe has been heavily engaged in EU digital policy‑making with data policy becoming the biggest problem for the association in recent years. And Alberto leads the association's team working on data, artificial intelligence, privacy and cybersecurity, among others. He has extensive experience in digital policy risk in our discussion including telecoms, infrastructure, and data protection.
So we are happy to have you today with us, Alberto. And I will start with a few questions for you. So first of all, I would like you to elaborate a bit on digital transition and data economy, how to ensure that no one is left behind. And another topic, which is very, very important, is regulation enforcement. Margins for improvement. What is your perspective representing the private sector here? So, please, the floor is yours.
>> ALBERTO FELICE I hope you guys can hear me as well as see me. It's a pleasure to be here. As you said, Digital Europe is a big trade association, one of the interesting things about us is that we cover quite a lot of different sizes in terms of the companies that we represent. We have companies from across the digital value chain, companies big and small. And we're in the middle of not only developing the digital transformation of our economies and societies in the past few years, we've had terrific change in the association that's reflected the broader change in how digital has shaped the economy. So we've gone from a trade association that was an association of traditional ICT players to an association that now has engulfed, if you will, as digital has, other digitizing sectors such as transportation, health care, construction, and the like.
So with companies, again, big and small, that have been joining our association, working on all sorts of policy issues, obviously predominantly at European level because we are Brussels‑based, but also globally. Obviously, one of the interesting things, being Brussels‑based, is that we are very much at the forefront of understanding how the evolution of business, digitizing globally in various geographies can be met by the evolution of policy‑making that relates to the economy broadly and to digital.
And one of the central aspects of this has been data and regulating data to make sure precisely that a number of essential public goals are met. So not only that we have a functioning economy, a growing Digital Economy, but also that this bigger digital pie is served across the full spectrum of interests in the economy and society. So, again, companies big and small so that we don't have monopolies or oligopolies with that benefit from the data economy, and we have a whole value chain that can benefit from what new business models and value data can bring in the economy.
So this has been one of the central points of action for, you know, particularly this new European Commission, and the data strategy of this Commission has really been centered, I would say, around this central goal, which in Europe very much is part and parcel of discussions around, you know, sovereignty as well and how data can protect the, if you will, the fundamental interests of our economies and societies.
It's been a very interesting and right now we're right in the middle of it, we're right in the middle of a lot of legislative proposals that pertain to data directly or indirectly. It is a very complex, if you will, set of developments, I would say. We've had particularly, I would like to draw everybody's attention clearly to the proposals that most people would be familiar with. So particularly we've had a lot of focus on AI. AI is largely about data processing, largely about, you know, the new areas of software and how we regulate these applications to make sure that we respect safety, fundamental rights, and there's been also separately quite a lot of proposals that revolve specifically around data, around data sharing, making sure that there's more data sharing across sectors in the economy and across different players in the economy. Notably, the Data Act as well as more vertical proposals such as the European health data space that has focused specifically on creating and increasing the amount of health data in its various forms that's shared across the member states of the European Union.
Why do I say that it's a fairly complex environment? Well, first of all, because it's a lot of proposals, and also in Europe we are starting from a place where we have quite a lot of regulation already in place. Everybody is familiar with the GDPR and to go back to the, you know, the title of the session, there's a lot of mentions of data being the new gold, in this context, the General Data Protection Regulation, so how Europe protects the processing of personal data is considered the gold standard worldwide.
But as someone has said, you know, gold is great, but it also means that, you know, it's heavy. And so we are ‑‑ obviously, we need to understand how this amount of regulation, particularly if we have more of it, can also facilitate data sharing in addition to providing rules that facilitate not only protection but also more possibilities for more players to benefit.
And, of course, I think right now, in addition to regulation that pertains specifically to data, there is quite ‑‑ we're in the middle of, if you will, a global crisis that we got ourselves into roughly two years ago. And this is obviously linked to the pandemic and, of course, we are also in the middle of war in Europe. And there has been an aspect that's very important in underlying all of the efforts around data, which is connectivity and strengthening connectivity, both within Europe, with the level of investments that we've had, sometimes complaining that we have been lagging behind other world region in stimulating private investment, but certainly there's been a lot of funds that have been spent in the context of both Europe's digital decade objectives but also the recovery and resilience facility that we put in place given the COVID pandemic.
And so clearly strengthening how this happens in Europe but also building partnerships worldwide. And this is the discussion that has happened with the U.S. in particular in the context of the Trans‑Atlantic Trade and Technology Council and the strengthening of joint initiatives globally built on the global gateway at European level and other equivalent U.S. initiatives. Because connectivity is part and parcel of moving data around, making sure that different industry verticals as well as consumers and individual households are connected and making sure that we can have a solid global underpinning to all our efforts, because data is quintessential to all our respective geographies, and it's also important, again, in a global context, particularly one that's challenged right now and possibly reverting back to some sort of local versions of digital data pools. It's very important that we keep those links so that we, certainly from an economic perspective, but also our societies can stay open and continue to benefit from global technologies. I'll stop there. Thanks.
>> GRAZVYDAS JAKUBAUSKAS: Thank you for your comprehensive insights. Now we move to the next speaker, just not to lose the time. And we know that Vice Minister had some technical problems. We are still trying to get him. But, yeah. Let's move now with our next speaker. And let me present very briefly Maria‑Rosaria Coduti from European Commission. And DG CNECT. She is a Policy Officer at the Data and Innovation Unit where she contributed to the elaboration of the data strategy and to the work on the Data Governance Act and the Data Act. She also coordinates the work on the common European data spaces and companies on the implementation of data policies on the international scene. She holds a master's Cum Laude in international relations and expert of East Asian Region Political Affairs. DG CNECT is responsible of the definition and implementation of the European Union's Digital and Data Policies. So, please, Maria‑Rosaria, the floor is yours. And I would like you to reflect on two questions. And these questions will be the same for you and the Vice Minister. And since Alberto already touched a bit on some of the European legislation, so if you could just elaborate for me on this. And, of course, the very central data policy aspect of your unit as human‑centric approach, and what do you think, what is the role of the governments here, from the Commission perspective, how you saw this process, and how to strike the right balance between making available more data for using, guaranteeing privacy and data protection at the same time? So, please, Maria‑Rosaria, the floor is yours. For five minutes. No more, please.
>> MARIA‑ROSARIA CODUTI: Hi, everyone. And thank you for giving me the floor. I'm very happy to be contributing to this interesting discussion. And, actually, this is a key question, a key topic also for the development of the European data policies and legislation.
From our perspective, what is important is that data protection and data access, sharing and use, should not be pitched as two elements that contract each other, that opposite each other, because in our view, these are, on the contrary, these are two elements, two faces we can say of the same method.
In our Data Governance Model that we have built in the data strategy, that we are putting in place in legislative measures, that we are implementing the Data Governance Act, the Data Act, our Data Governance Model takes, integrates data protection, we can say by default in the sense that we put ‑‑ when we drafted this new data legislation, we did it building on the protections already given by the general data protection regulation, the privacy directive, and other legislation that are about data privacy and protection. And we complemented this legislation, because you can't just protect data and impede the use of data, because if data is not accessed, shared, and used, there is no value produced out of data in terms of a new product and services.
So we create, let's say, a trustful environment, trustful ecosystem, where all the stakeholders that participate in it that can be data subjects, data holder, data recipient, data reusers. All of them have to trust that if they access, share, and use the data through this ecosystem, the rights and the fundamental rights will be respected. And as you mentioned, rightly said, at the basis of our Data Governance Model is a human‑centric approach. It's the idea of putting the individual and also the businesses that contribute to produce the data at the center, empowering them in the sense of giving them control on deciding who can do what with the data that they contribute to produce or data that are about them, and under which circumstances.
And we have, at the European Commission, we have put this into the legislation, into the Data Act that creates new data access and sharing and use rights. And that empowers users, for example, of IoT objects, that by individuals, by interacting, by using IoT objects, they produce valuable data, and they need to have a say on the data.
So the role of governments by the perspective of the European institutions is to make sure that the conditions for a trustful and secure access sharing and use of data are creating by the right policies, the right legislation, and also investing in technologies that allow the protection of privacy, even by default. Thank you.
>> GRAZVYDAS JAKUBAUSKAS: Maria‑Rosaria, very, very clear. Very comprehensive. And it seems that we have ‑‑ we could now move to Vice Minister, and we got him connected. Let me very briefly present Mr. Marek Havrda who is a Ph.D. and Deputy Minister for European Affairs. He contributes to coordinate their positions on e‑policies and the Czech's presidency of the Council of the EU, in 2022 second semester. Marek has built expertise at the European Commission and AI, private AI and think tanks. In his early career he gained experience with materials. He studied at the business school, Lancaster unfortunate, chancellor University, and Johns Hopkins University. He states that the digital transformation based on a human‑centric business is the main objective of the EU and he's been contributing to the global artificial intelligence ethics and governance initiatives including UNESCO recommendations for ethics of artificial intelligence, OECD network of experts on AI, and IEEE technically aligned design. So dear Vice Minister, we are very happy to have you here. And first of all, congratulations with very, very successful residency so far. We know that you managed to reach global ‑‑ sorry, general approach on AI Act and IDEA, so, please, the floor is yours.
>> MAREK HAVRDA: Thank you very much for organizing this important amendment and thank you very much for having me in this very session. I would like to start a little bit broader on human‑centric approach because we've been discussing what human‑centric approach is. And just a few weeks ago at the ITU, the Czech Republic on the behalf of the EU27 presented a policy, joint policy statement, on human‑centric and human rights‑based approach to technology. This statement was already signed by some 57 countries. And I would like to share with you some background ideas, which we had when we were developing this.
What we understand by human‑centric, actually. Human‑centric for us means how we actually deal one avoidable tradeoffs when using the technology. And in dealing with these tradeoffs, I think we need to take into account several criteria. We have identified four so far, but there are more when it comes to the data. The first one is the respect and guarantee of privacy. So this is quite obvious. So privacy as one of the criteria when we are dealing with the tradeoffs. The second one, understanding and being aware when we use the technology and the technology is using data, that we understand the historic biases embedded in the data.
Third is respect for the individual autonomy. So it has a lot to do with its manipulation which leads to provision of the data which actually individuals don't want to provide voluntarily. And finally, there is the overall impact on human wellbeing at large. So understanding which data is needed for work purposes and to what purposes it is actually going to be used and what are the final impacts on wellbeing.
Getting more concretely on data, I think we need to be really pragmatic. It seems that certain attributes of the definability and/or usability are not so big threats in terms of this criteria, which I've just described. At the same time, of course, when it comes to combining data and assessing data together, there are much larger risks, and we need better checks and balances for this. And to make sure that especially in case of combining different types of data, we do not actually jeopardize, for example, especially the criteria of privacy.
Let me finish with just a few words on Digital Divide. Having the human‑centric approach to data should help us to bridge Digital Divides in different dimensions. From the economic to geographical. What is really crucial here is to understand what kind of data is actually available. So it comes to having a good description of the data which are available, so having a good and well‑defined method. But the second and maybe more important is to understand what are the data needs in countries and given communities. And this, in my view, requires kind of a new approach in terms of the cooperation between the government, the businesses, and civil society to actually define the data, data needs in the place. Thank you very much.
>> GRAZVYDAS JAKUBAUSKAS: Thank you very much, dear Vice Minister. I know that you have a very, very busy agenda today, but if you have the possibility to stay with us for about 15 minutes, we'd be very happy to have you here.
The next speaker, now we move to on‑site panel. So let me start with another speaker from the panel here, Mrs. Bridget Andere from Access Now, and Bridget is Africa Policy Analyst at Access Now. She previously worked as policy fellow and policy associate. She is an advocate of the High Court of Kenya and a member of Chartered Institute of Arbitrators and worked in the private sector having trained as commercial litigator. Bridget holds an LB from the University of Nairobi and a post‑credit from the Kenya School of Law. Access Now is an organization whose mission is to defend and extend the digital rights of users at risk.
They also closely examined the intersection between data protection and other areas of their work. In her free time, you can find her either singing or reading, with a cup of tea, and she's always willing to see a photograph of your pet. So with that funny and short introduction of Bridget and her hobbies, please, Bridget, I would like to pass the floor to you and ask you also a few specific questions. So first of all, what is your views sew the same question, how to regulate but also make sure that enforcement, what are the margins for improvement, and what is the perspective of civil society organizations in this case? So, please, the floor is yours, Bridget.
> BRIDGET ANDERE: Thank you. As you've heard, my work really concentrates on human rights around the region, specifically, and our organization works around the world. So, of course, for me, the human being is central. If you ask me to balance between the economy and society, I will always speak society. But one cannot work without the other. As long as a model that is built does not benefit society in the long run, it affects the economy negatively. And that is something that we have to be a bit more long‑sighted about. We cannot afford to be short‑sighted when we are building models, because in the long run it affects an economy, no matter how beneficial it seems in the beginning.
I'm going to give an example. In Kenya, we ‑‑ I'm not sure if everyone here is, you know, conversant with that case, but what happened was that they rolled out a digital ID program in Kenya, and then people went to court and challenged it on data protection grounds because there was no data protection framework. You know, the court ruled that this was illegal to roll out a program like that. And so eventually it had to go back to the drawing board. Having wasted a lot of money, you know, a lot of public funds, rolling out a program that did not depend on a model that would benefit society. And so, again, we have to go back to the thinking that laws and infrastructures that are, you know, policy related are supposed to serve us as human beings and not the other way around. We build laws that serve us in our context.
And so importing laws and infrastructures from other places where it works for them without considering what our context is is detrimental in the long run. So how, then, do we build models that benefit both economy and society? By building models that benefit society. And how do we do this?
The first thing that needs to be done, whenever considering any sort of model, any sort of framework, is to look at the human rights impact and what impact it's going to have on the end user, the person that is the most at the margins, the person that would be most affected, what would you think about when you think about this person? So human rights due diligence is extremely important in taking things like this into consideration, like for, you know, the example that I've used before this with the (?) Look at the people whose data will be collected and how it will be use. Who are the people that will be most at risk? And then make sure that you are protecting those people. That way you have an effective model. And you don't need to go back a year later or two years later to fix something that should have never been a problem in the first place.
To civic engagement and education. So with us, we have public participation, but it needs to be meaningful. Simply putting out legal requirements and announcing to the public that they need to come in and participate and provide comments but not actually implementing these comments will never help. And so we need to have public participation that is meaningful, making sure that we are engaging with the public constantly to make sure we know what they need and making sure that we are listening to what the gaps are, in essence, build those models that are effective.
So when it comes to regulation versus enforcement, I know that this is not necessarily just a regional problem for Africa. We've seen it all over the world where we have really amazing laws and really amazing policy infrastructures, but then they are simply not working. Why? Because a lot of the time they feel very often off. We have data protection laws all around the region where my work is primarily based in, which is Africa. And a lot of the time you will find that these regulatory frameworks are really amazing. They have been formed really well. And then we have policies and regulations that are supposed to go along with them. Those take a really long time to formulate, so then these laws are existing in a vacuum without really any way to ensure that they are working, without any guidance as to how they should work.
Other than that, there is a fact that with these laws, as is often is, most of them do not govern absolute rights. And so there's always an easy out. And that's what I'm talking about it seems like an opt‑out, opt‑in mechanism for governments and for authorities where they can simply use a justification like national security, and just like that, you know, they've done away with someone's data protection lights, with your privacy rights because it's limitable, and now it's legal because the law is vague and not specific enough to ensure that there are certain standards that a justification needs to meet in order for a law to be limited. A right to be limited.
We have, you know, especially when it comes to interoperability, for instance, we have a data protection framework in Kenya that has all these amazing data protection principles such as imitation and, you know, minimization, but no one really pays attention to that. And then there's no transparency to add on to these things. And so we find ourselves constantly with really good laws but with really bad implementation. And who does that help? Nobody, really. And so at the end of the day, we have to make sure that people are educated on what their rights are and make sure that we have easy intervention mechanisms to ensure that people can very easily come and say my rights are being infringed, and this is what I need. Engaging the society that the laws govern is at the center of making sure that we have good laws and good models, and at the same time ensuring that enforcement is possible in the right way.
>> GRAZVYDAS JAKUBAUSKAS: Thank you very much, Bridget, and thank you for those insights. Now on the African continent. We started with Europe, and we move along also most likely with a global perspective with the next speaker. So let me very briefly present the next speaker, Mrs. Chloe Teevan. Chloe is the head of Digital Economy and governance at think tank called ECDPM, which is European center for development and policy management. That's right. Chloe is also a resident scholar with the north Africa Sahel program at the Middle East institute in Washington, D.C. Prior to joining ECPDM she worked as independent consultant on a number of research projects in North Africa. She also worked at European council on foreign relations in London and spent two years living and working in Cairo, Egypt. ECDPM is closely following the evolution of digital in EU action including in a new paper global gateway and the EU as a digital actor in Africa. Released recently, right, November 30 if I'm not mistaken. As part of their work on Africa as a global actor, ECDPM has argued that Africa needs to play a more active role in shaping the global discourse on Internet and data governance to avoid becoming a form of digital geopolitics. Chloe co‑edited an open‑access book with Africa, Europe cooperation and digital transformation that includes case studies and data policy in Kenya and South Africa. And some more interesting facts or funny facts, Chloe grew up on a rural island where there is still no reliable broadband connection. Although she believes fiber broadband is finally on its way in the next two years. So, please, Chloe, the same question to Bridget. Now the floor is yours.
>> CHLOE TEEVAN: Hello. Thank you, Grazvydas, for the opportunity to speak. I'm honored to be here with the other distinguished panelists. So maybe to follow up also on what Bridget was saying just before, I think context is very important. I think if we go back to GDPR, which is maybe the most established of the European regulations in this area around data, it is very important that that was developed in a European context that included a multistakeholder approach and allowed for the input of European civil society and response to that context. It's not without its critiques, however. And one of the major issues, actually, that has been brought to light this year is this question of enforcement and the fact that even within Europe it is not actually being very effectively enforced. And this is a major issue as GDPR becomes a model or has become a model for the development of data protection and regulation around the world.
And as Bridget mentioned, there are a lot of adaptations to this as well in different contexts. So it's not also whilst it becomes a model, it's not necessarily either adhered to in the same way in different contexts. But perhaps just to come back to the point about enforcement in Europe. So there is actually quite a big issue in the fact that most of the ‑‑ or a huge number of the complaints go through one small country, which is my homeland, Ireland, which is home to the EMEA headquarters for Facebook and Google and many other major companies. And this has implications for the whole of the EU but also for data protection commissioners here in Africa who need to go through Ireland in order to deal with some of the complaints against these companies. So these are big questions in terms of the fact that the way that the current global system is also set up and the fact that within Europe, we have ‑‑ it's still ‑‑ the complaints are still on a national basis, and the Irish Data Commissioner has been accused of being too weak, too business friendly, too slow. And it is civil society in Europe that is really holding ‑‑ you know, holding the Data Commissioners to account and really pushing particularly the Irish to do much, much better in this area.
And if there are improvements, that is because civil society have been very, very actively engaged and have been bringing countless cases against particularly the Irish but also across the EU. And the famous back strand has been very much at the center of this with his organization, Noib, but there are Access Now, I know, is very, very much involved as well on the European side. And this was the focus also of a major conference this year with Data Commissioners, Data Protection Commissioners, from across the EU who are discussing how can they improve this process. And part of that was the fact that they were open to listening to civil society as well and that they invited those voices into the room to give their critiques.
So I think that's a very important element is that multistakeholderism has been part of the process from the beginning in Europe and should continue ‑‑ and if the enforcement improves, that is because civil society is constantly holding government accountable. So that's a very important thing also to note when it comes to the development and the enforcement of these kinds of regulations in other contexts. You know, that having that active civil society participation is really essential and that means also adapting to the context that you're in and bringing those voices into the room.
There are also a host of other issues around enforcement in other contexts. That includes the fact that in certain context data, there aren't even data protection commissioners in place to enforce the regulation that when there are data commission ‑‑ data protection commissioners, they don't necessarily have the resources they need. They don't necessarily have the independence that they need. And then there are questions about whether big tech ‑‑ if, you know, even in the EU, they're not always taking government seriously, and they are pushing the limits even within the E UConn text. It's much, much harder for a small African government or for another smaller government in another context to hold these companies to account. So those are just a few points in terms of some of the issues with enforcement that really have to be kept in mind when we talk about the externalization of GDPR and this being a gold standard for data protection regulation around the world. And I think that is being taken into consideration in some of the thinking moving forward and certainly in the EU's development cooperation, but it's really important that it is front and center in all contexts, and that really means having civil society on board also. Thanks.
>> GRAZVYDAS JAKUBAUSKAS: Thanks a lot, Chloe, for all this very practical examples of the enforcements and sometimes of the enforcement failure. And let me thank you in Irish language. (Speaking Irish). I hope you understood me. It's, I would say, one of the most difficult languages we have in Europe. This is the beauty of our continent.
Let me now quickly move to our last speaker, and then we have some time for questions from the audience and online. So let me present Mr. Johannes Wander who is a policy adviser to the African Union commission with GIZ. His background is in political science and economics, master of science in peace and conflict studies. Previously he worked as policy adviser for the German Development Ministry and the Egyptian Innovation Strategy. A few facts on GIZ. GIZ has a long‑standing relationship supporting the African Union Commission on a variety of topics ranging from peace and conflicts to human rights. In 2020 Germany started to also support the African Union Commission in their development of digital policies resulting in the African Union Data Policy Framework and the African Union framework for digital ID endorsed by the African Union signed in 2022. Johannes presents himself as an IGF evangelist since 2017. He likes growing tomatoes, zucchinis in his garden here in Addis Ababa in Ethiopia. So the last question to you, let's move now to very concrete details and projects on the ground. So what do you think, what are the key challenges on regional level with a focus on Africa, how to act efficiently to close those digital gaps that we talked about and what is the role of data, data policy, to bridge the Digital Divide and ensure strong data protection and inclusive economic growth and maybe you could give some case studies from the African Union, European union, flagship or other projects. So, please, the floor is yours.
>> JOHANNES WANDER: And I have three minutes, right? So Honorable Vice Minister, thank you very much. I'm not sure to everyone who turned out at this late hour, basically, on the last day of IGF. Yeah. Why do you ask that? I mean, this is quite a lot, and I think the panelists have already addressed a lot of, like, the core issues being, lack of capacity, lack of resources, lack of enforcement. Obviously, my perspective is very much right now from the continental level since I'm supporting the African Union on this. And it has been hinted already that maybe GDPR is not exactly what is the solution for the African continent, which I agree with. But I think we also see that a rights‑based approach as well as what many African countries are interested in where there has been a move, like, towards more localization in several countries in the last few years, which, however, then tends to turn into, like, a very locked‑in approach, and you cannot really leverage the benefits neither for the public, nor for the economic side of the data economic. And, obviously, many African countries seek to tap into the potential of the digital transformation and the potential of a data economy.
So the African Union was in the position to develop this Data Policy Framework throughout the last years and it has been endorsed in February this year, and that will move ahead with the implementation in the upcoming months. And I'm very glad that the European Commission is also supporting this endeavor by the AU, but I think this is exactly the way, like, things have to work, like African countries come together, that the Commission, the African Union Commission, is, like, in a leading role, formulating such policies on the continental level. And then I think it is for Europe to then, like, support, like, the endeavor that is going forward, and I think the existing ‑‑ or the newly actually coming into Europe initiative is a great effort and to do this. As a part of the digital global gateway, which I think many of you are already quite familiar with, which is addressing the digital, also the energy, and the infrastructure transition in many countries, not only African countries.
But, obviously, harmonization is an issue. And we have to remember that in Africa, in the African Union, there are 55 member states, which is twice the amount of the European union. And, I mean, I guess the colleagues from the European Union Commission, they can tell us some stories about, like, how difficult it is to agree on something there. So, yeah. Enforcement is an issue. I think it is something we will work on throughout the next three years. The plan is basically to align all the existing stakeholders that are active on the continent. You have the Regional Economic Opportunities. You have agencies like (?) Many might be aware of, which is supporting data protection authorities in the making already today. But to harmonize all of that and to really bring the data policy framework that was endorsed by the African Union already, to bring that alive, we will really have to work with all of these stakeholders and eventually the aim is, of course, like, to end up on the national level, on the community level, and to find data governance solutions that work there, and that I think will be different from GDPR, for example, because GDPR is very individualistic in the way it's designed, and maybe that is not necessarily, I would assume, the way that African communities work and how Africa deals with these issues.
At the same time, of course, we do not want to engrave existing injustice and power in the data again. So, like, coming back to the title of the session on gold or data being addressed as oil, how do we ensure that data governance then also is just and is not just, again, you know, having one source of resources but then other people do use these resources, sell these resources, and basically, yeah. Earn these resources. So how can the African continent manage and use this for themselves without localizing in 55 countries. I think these are the ‑‑ yeah, the changes that we are looking for, and I think data policy has an important role to play there. Countries like Kenya already have some legislation, but there are other countries that don't have any. So getting that into place, I think, would be the first step. And then the next one to also work on the enforcement, of course. So I'm getting looks from this side. I think my time is over. Thank you.
>> GRAZVYDAS JAKUBAUSKAS: Yeah. Thanks, Johannes, for very good practical insights on the project on the ground and the risks we face. So now let's move along with the question and answers. We still have some ten minutes or so. And let me also present online moderator, Francesco Vinci, who is also from DG INTPA from the European Commission. So he will check the online questions in the Zoom platform, if any. Or you can raise your hand if you're in the room. I think I saw this hand raised first. So please just very briefly introduce yourself and then whom the question is actually posed to.
>> Thank you very much. I'm Nathalia Spina from the (?) Institute of global change. I'm very interested in getting the views of the panelists on the actual sharing of data across borders that we have been talking so much about today. So GDPR and most data protection laws only allow the sharing of data across borders when the receiving country has an adequate protection of personal data within their own laws and it's actually implemented. But for me this sounds very interesting, but so far we don't have any practical implementation in real life. The GDPR list of countries that have an adequate protection are no more than a handful.
Now they have moved the burden to the private sector with the obligation of making transfer impact assessments before the actual transfer. And many countries in Africa and Latin America have made the same provision, obliging the data protection authorities to make this analysis before making the transfer. So how can we simplify this adequate protection evaluation to actually make data transfers a reality across borders? I don't know who to address this question. Perhaps Maria‑Rosaria, you could, but if anyone else from the panel can be ‑‑ can share their views, I would be very grateful. Thank you.
>> GRAZVYDAS JAKUBAUSKAS: Thank you. Thank you for the question. Maria‑Rosaria, are you with us still?
>> MARIA‑ROSARIA CODUTI: Yes, yes, I'm here. If you allow me, I will not go into the GDPR, but I will try to explain what we are doing on that regard in our legislation on personal and nonpersonal data. So I'm referring to the international provisions of the Data Governance Act and the Data Act that address the issues of cross‑border data flows, also international. So between European member states and joint countries.
What we put in the Data Governance Act is a provision to ensure the sensitive of publicly‑held nonpersonal data will be afforded the same level of protection in countries as they enjoy in the European Union and that non‑personal data will not be subject to unlawful access request from third countries. The aim, our aim, is to ensure that the protection afforded to such data in Europe actually travels with the data when it is transferred outside European Union.
So we have this regime based on intervening acts for non‑personal data that we think will not create a bottleneck in international transfers because as a general rule, transfers will be possible to any country, if the user takes on the obligations set out in the proposal, that now is (?) Since they entered the official journal last June.
And if such contractual obligations will prove to be burdensome, for example, to the large volume of transfer for EUs occurring in relation to one country, decisions could streamline the procedure. So the question on regime only applies to sensitive public health nonpersonal data, not to all nonpersonal data flows.
In the aim of the provision of Article 13 of the Data Governance Act is to prevent access requests to governmental authorities where the law does not provide for some level of safeguards. Then we also have international ‑‑ a provision on international data transfers in the proposal for the data act that we are negotiating with the council and with the parliament. So we extend the regime that we put in place in the Data Governance Act, also to cloud service providers and customers. So it's like ‑‑ the rules that we have in this data legislation are similar to (?) In the sense that their aim is to share nonpersonal industrial data in Europe from access and transfer requests coming from third country, but they will also be different in the sense that they impose requirements on the cloud service providers active in Europe and apply mainly to governmental access request.
So this is the international provisions we are putting into new data legislation to make sure that when European data travels abroad, nonpersonal data, it is the same level of protection that it is in Europe. So we do not create any kind of data localization measures, but we encourage the sharing of data by making sure that it is used according to European laws and principles.
>> GRAZVYDAS JAKUBAUSKAS: Thank you, Maria‑Rosaria. And maybe I could ask Chloe to elaborate a bit on your question, too.
>> CHLOE TEEVAN: Well, I imagine Bridget also knows about this in the context of Kenya. But I just wanted to mention in the book we've just published, we have an essay by South African academics, Michael Gastro and Rachel Adams who look at this question in the context of South Africa and the POPIA which was actually developed on the basis of earlier European data protection regulation. And it took ‑‑ it points to some of the issues in terms of this externalization question because it took a certain amount of time for South Africa to actually develop that regulation. And by the time it had developed the POPIA, the EU had moved on to GDPR, and therefore South Africa was not actually granted adequacy. And they're still working now on figuring out how to attain that. So it's a question that is a really big one, I think, in those countries that adopt this kind of regulation.
>> GRAZVYDAS JAKUBAUSKAS: Thank you. Thank you, Chloe. And we had another question from this side, right? Yes, please. Go ahead. Introduce yourself and the question.
>> Thank you for giving me a chance. Technology without data is nothing. So considering the call for data development of technology, (?) Unless we manage our data, we couldn't do it without advanced technology. The second point is since we manage and store our data properly, for what purpose and when to use and whom we are going to use. Nowadays we are in the age of AI and the cloud. Without data, we can't launch this technology. My question is that knowing data (?) How to manage our data, there is no standard frame for ‑‑ across the international. So how we frame that inclusively consider the data protection. And the second one is I think protecting the data, we should have to consider how to ‑‑ the data protection, technology is borderless, there should be an international agreement of law enforcement system. Thank you.
>> GRAZVYDAS JAKUBAUSKAS: Thank you for the question. I hope that Bridget would take on this. Could you please just present, which organization are you from?
>> (?) Organization.
> BRIDGET ANDERE: Thank you. And pretty much you are saying exactly what we have been saying on this panel. That there is no one standard framework that works for everyone. So how do we ensure that there's adequate data protection across the region, across the world? It depends on the context. Take, as I said, and I outlined earlier, take the person who is most at risk and take care of that person, and then you have adequate data protection. Take the risks into consideration, depending on the context. There can never be just one framework that is going to work for everyone. So as long as we are building frameworks for ourselves and making sure that we are taking the things that we need to take into consideration, which is who is most at risk, we will have frameworks that work for us.
>> GRAZVYDAS JAKUBAUSKAS: Thank you. Thank you very much. Yes, please, Johannes.
>> JOHANNES WANDER: Sorry. Just to quickly add to that, maybe to illustrate it in just two sentences. With the EU policy framework, it's not a blueprint. It's not like a model law. It's basically recommendations. It's principles that you can interpret then on the regional and the national level, depending on what actually the context is and what regulation you would want to go in. So it's not the same size that fits everyone, but it's kind of an orientation, and under that umbrella everyone can kind of go their way.
>> GRAZVYDAS JAKUBAUSKAS: Thanks a lot, Bridget and Johannes, for taking this question. I don't see no more questions. Well, here. Okay. The last question because we have to move to the closing session.
>> The next question goes to evangelist Johannes. My name is Mandifor from the ministry of technology, an adviser in the digital transformation program. You mentioned about African values that should be incorporated in the African data protection regulation laws which are now incorporated in the GDPR. Can you please, from a review point, could you give us some of these values which would be incorporated in African (?) Piece?
>> JOHANNES WANDER: A difficult question for a white man to answer, to be honest. But what I mentioned earlier, I think in Europe or in GDPR, you kind of have a law interpretation represented that is very much focusing on the individual as, like, the individual ‑‑ the owner of data, like the data that I create is also the data that I own. So I have this right to basically have this data protected by all means. I think in some African societies, at least, the individual maybe is not always as important as the community. So sometimes the communal aspect is more important or has, let's say, a higher priority. And we have seen that in some, like, yeah, there was more experimental data governance that, for example, prioritized the right of the community to data. So, obviously, it depends on how sensitive the data is and what it is used for, like if it's health data, for example, like, it's still extremely private, I would say. And there the community is not, you know, above the individual. But it depends. And I think you have to interpret it, like, depending on the context you actually want to develop the governance. And so I don't have, like, an answer and, like, Africa has not all the same values in every country, so it's very divergent. Maybe someone more equipped to answer would like to come in. I don't know. Otherwise that would be my answer.
>> GRAZVYDAS JAKUBAUSKAS: Since we are really running out of time, thank you very much, both colleagues for the question and for the answer. We see that Vice Minister wants to either comment on this question or maybe say something unrelated to this question, but maybe the question previous. So Vice Minister, are you here with us?
>> MAREK HAVRDA: Yes, I am. Thank you very much, Graz. I just wanted to make a comment related to the previous question. I think crucially as we discussed during the country, the question is enforcement. And I think we all need some new approach to this. We will need an institution of innovation, how we actually monitor the enforcement. So we will need, I think, an international platform which would help to monitor how the, especially the privacy rules are enforced in different countries. Because this is the prerequisite for making it a reality. Thank you.
>> GRAZVYDAS JAKUBAUSKAS: Thank you. Thank you very much. I know that we need to wrap up the session because we're really running out of time. Thank you very much for all the speakers and all those who attended this. Most likely the last session for you today. And I know that there is also a closing session this evening. So thank you for all your insights. And should you want to learn more about the session, about the background of the session, you can always find information on the IGF website. Just look for Open Forum #38, data as new gold: How to avoid gold rush and create value for all. So you will find the questions, answers, and some background on this topic and key takeaways that most likely we will take today. Well, the enforcement should be adequate to legislation and that enforcement is crucial, but we need to assure that no one is left behind and that we really tackle all the problems, including that we ensure human‑centric approach. Firstly. And foremost. So thank you very much. Have a nice evening. And see you next year. Thank you. Bye.