IGF 2022 Day 1 WS #69 Governing Cross-Border Data Flows, Trade Agreements & Limits

The following are the outputs of the captioning taken during an IGF intervention. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid, but should not be treated as an authoritative record.



>> MODERATOR: Apologies.  I am the moderator at the moment.  Some people have become sick.  I am Shane Tu.  I have been to 15 of the 17 IGFs, I have a good idea of how it works.  Right now, Dr. Chin is tolerating my lack of ability to get on.  I need to ask online participants, does anybody else have a presentation?  So we know to expect that.  Let us know.

I will start with introductions.  Next to me is Dr. Yik Chan Chin an associate Professor at Beijing Normal University, prior to that she worked in Liverpool and University of Nottingham and Oxford School of Law.  Area of research includes Internet Governance, communication, policy, regulation in law and special focus on China.  Currently working on projects in Internet Governance in China, AI, big data, ethics, and social media.

Dr. Zhisong Deng focuses on data practices, protection, dispute Resolution and has a long history on antitrust filing for cross‑border M and A transactions.  He started working on the domestic and foreign clients with legal services.  In 2012 he started engaging in cybersecurity and data protection and has a long history over the last 10 years working on privacy protection, cross‑border transfer for clients and many other occasions he's been asked to be an expert. 

Locknie Hsu has an LOM from Harvard and LOB from national University in Singapore.  An advocate and solicitor in Singapore since 2006. 

Dr. Rolf Weber is a Professor and acting as co‑Chair and Director of research programs on financial markets and regulation and also a visiting Professor at University of Hong Kong in China and main fields of research are Internet information technology law, international business law, media law, competition and international finance law.

And then Dr. Mansi Kedia is a senior research Fellow at India Council of research and international foreign trade.  I also have my online moderator, Linda, who is moving over here now.  She's also a last‑minute fill‑in, you have to appreciate all of us who really care about cross‑border and want to make sure we have a good dialogue today.  Unfortunately, some of our colleagues are not feeling well.  Courtney, I don't know if you are watching, we are happy to be here in your stead but miss having you here.  Dr. Chin let's start with you. 

>> Yik Chan Chin: Thank you.  (Off mic) I would like to introduce myself.  I'm from Beijing University.  I would like to talk about ‑‑ I have five minutes to give a brief introduction about China's approach in terms of the cross‑border data flows.  So basically they have ‑‑ the Chinese flows is based on the free flow data flows.  So this is some important concept I want to pick up.  I want to emphasize in the policy regarding cross‑border flow like sovereignty, personal data protection and national securities.  And in relation to that, they have a data classification and weighting system.  They're weighted into different categories in terms of importance to the national interest or public interest or national security or personal or private protection.

China joined the FTA agreement and also regional trade agreements. 

So if you look at China's official position towards the cross‑border data flows, this is what they submit to the WTO, the e‑commerce Committee.  So basically they said trade‑related data flows are important, but more important is the precondition of security.  Therefore, you know, their cross‑border policy has to emphasize on security.  So therefore, it is necessary data flows should be orderly in compliance with members' respective laws and regulations because the core concern for China is security. 

So if you look at this, there is two important laws in regulating cross‑border data flows in China.  The first is personal information protection which set up the compiling conditions for exporting the personal data.  So this is a particular for the personal data.

So if the data process wants to export the personal data, they have to fulfill one of the four conditions.  The first is the past security assessment.  The second is they have the protection certificate.  They can get a protection certificate.  Personal information protection certificate.  Or a kind of standard contract with overseas companies in accordance with the standard contract provisions. 

And also there is other condition stipulated bylaws.  They only need to fulfill one of them before they can export personal data. 

Second is the obtain personal information that is security measure.  If you want to export data, you have the data process or consumer has to pass the security assessment measures.  They have types of data, which requires the security assessment.  The first one is important data exported in the data process.  Of course, they have a definition about what are important data, but I'm not going to elaborate here.  They have a particular definition of what are important data.  The second is the personal information.  Exported by key information infrastructure operators or data process which has process personal information reach one million people. 

The third category is personal information, exported by data process.  Which accumulate for why the personal information more than 100,000 people.  So another situation required by the national cyberspace administration department.  The four types of situations they have to pass the security assessment.  So besides the four types of information, they can export.  So when they do the security assessment, do look at the three conditions.  The first was risk.  What kind of risk did they export and bring to the national security, public interest and there arise an interest in the regional organization.

The second condition is legality, legitimacy, and purpose of the scope of data export.  It is quite legal, you know, approach. 

The third assessment criteria is whether the safeguard meets the regulations of China.  When they export the data they have to make sure there is safeguard measures, to guarantee the protection of the personal information.  There is national standard, law, regulation to access what do we mean by the safeguard measures.

The exportation has to meet all of the safeguard measures.  So therefore, we can see in general, you know, we can see the Chinese approach to cross‑border data flows is that there are only a few cases where the export data is banned.  You know, data can be legally exported after meeting certain criteria, like a security assessment or get a security certificate or send a contract.  The new data exhort assessment measure provide a certainty because it is defined only those four categories of personal information or the important data that require the assessment to assess the risk.

Beyond the four categories they can't export.  Okay?  If you look at the details of this requirement, you found that there is actually this formulation is quite the reference to the practice or public policy and the national policy exception to many FTA.  If you look at the FTA they have two exceptions.  One is public interest exceptions.  The second one is national security exceptions.

So in Chinese formulations, we can actually see the similarity because they put exceptions into the security assessment measures.  So they say okay, you have to make sure, you know, you do not have a risk of national security or public interest or violate rights of interests of individuals or organizations.  Basically they put the exceptions into the measurements as well as security assessment measures.

The last point I want to emphasize if you look at the assessments of the legality, legitimacy, and purpose of the scope, this is the personal information.  This is not a particular requirement.  Additional burden to the companies, which export data overseas. 

That is also requirement of domestic law, personal protection law for domestic company as well.  Therefore, it is not discrimination provision, that is target by western companies.  We have to recognize this as well.

So sometimes, besides that, they also have other initiative, like global initiative in global security initiative.  They want to promote connectivity and international collaboration and want to join the negotiation and regional trade agreement.  On the other hand, up to now, China join only one trade agreement which is IECP, which also have provisions to cohabit data localization and free flow of data with exceptions.

And also we anticipate because China is ‑‑ has applied to join the CTPPT and DEPT.  This kind of process will put pressures ‑‑ cross‑border data policy, if they successful joined, then maybe have some implications on the domestic law as well.

We will see.  Okay? 

The process is still going on.  There is still negotiation, you know, between China and also these organizations for free trade agreement.  If you look at the historical development, you see the free trade agreement, the 2016 and have CCPT and IECA. 

At the moment China join ICPT, and basically according to the provisions of this IECP, China has agreed to the free flow of data and not forced data localization but they want to have a potential for exception provisions.

What I want to say is China's cross‑border rule will affect the international cross‑border rules.  It is important to engage China and to become part of the community which it drafts, share the norms and rule creation for the futures. 

So this kind of engagement, I think is inevitable to have flow of governor transborder data flows.

The last thing I want to say is why there is difference between Chinese approach and U.S. and Europe approach.  Look at China approach, we emphasize the security and sovereignty and also personal data protection, where, if the U.S. approach is more emphasized in the free flow of data.  Because the Europe approach look at protection of human rights and privacy. 

But there is some underlying reasons for that.  First of all, because U.S. has very strong, digital service they're dominating the global e‑commerce market.  That is why they emphasize free flow.  Also in terms of regulatory framework.  That framework is permissive regulatory legal framework.  They minimize the state's interventions in the market.  Therefore they have less interventions. 

If you look at China, China's e‑commerce are not kind of trading data.  They're more trading of the physical goods therefore not really focus on the data trading.  And more traditional trading. 

Also because the Chinese approach, the regulator approach, more emphasize the data regulation and co‑regulation and self‑regulation.  There are regulatory style that is more compilation of co‑registration and self‑regulation.  Not emphasis on self‑regulation.  We can see different approach.  EU's approach which is influenced by two factors.  The first one is long tradition of human rights protection.  Secondly, no major digital player dominating the e‑commerce global market from EU.  The lack of this initiative to promote free trade.

Secondly, the lack of Government to oversee the security issue.  Therefore they haven't developed strong position in terms of national security.  You understand the European Commission don't have strong security mandate in some way.  Okay? 

That is why we see the difference between the three approaches.  That is all for me for now.  You can see we have this already.  This is the website, you can download our paper.  Thank you. 

>> MODERATOR: Thank you, that was a great introduction and beginning.  Wow.  To the other speakers, no one has to feel competitive to use more acronyms, she did a fabulous job there.  Dr. Zhisong Deng, you are up next.

>> Zhisong Deng: Thanks, moderator.  I think Professor Chin has already introduced the legal framework.  China's cross‑border data regulations ‑‑

>> MODERATOR: Can you unmute yourself? 

>> Zhisong Deng: Can you hear me? 

>> MODERATOR: Do we need to turn that on?  Okay. 

>> Zhisong Deng: I will provide some supplementals from my perspectives that ‑‑

>> MODERATOR: We still can't hear you.  Can you make sure that you are unmuted from your side of the computer.  Fabulous, we can hear you now. 

>> Zhisong Deng: I will provide some supplementals from my perspective, based on my observations as a local practitioner in this practice.  That it is China's regulation on the possible data transfer.  So ... number one, the China actually is still in the process of fast overlapping these parties.  Before 2017, there was only regulations in certain industries.  Such as banking and financing and also those.  Only in 2017, we have the cybersecurity law.  That provides certain principles in term of data transfer that focus on the CIO data participant.  The CIO is first to critical information infrastructure regulators.

And from last year 2021, we had two new laws, the PIP, Personal Information Protection law and the data security law.  And also this year, we are having some new laws.  So this means actually we ‑‑ for the enforcement system in China, we have it only in place for less than one year.  So it is still in the process of very fast and rapid.  The.

The second supplemental we want to provide it is obvious that China focuses much more on the data outbreak.  The outbreak data, which means you transfer the data from inside China outside of China.  And that there's few regulations in term of the inbound data transfer, which means actually it seems that the authority does not care about those information coming into China.  All of those regulations are actually focusing on the outbreak data as quite obviously.

And I think that this indicates China is still in some kind of earlier development state.  We need more time to promote attention on those inbound data transfer issue. 

Third supplemental is that there is Professor Chin is quite right to point out that China attaches a lot of importance in terms of the national security.  You know, regarding the information matter.

The authority, cybersecurity authority is one of the most powerful central authority in China.  And this is closely related to the top leadership.  Actually the President himself is the leader for the central task group within the Chinese Government.

So I'm also observing that the authority is Chinese authority is trying to strike a balance between safeguarding national security and promoting those international trade.  So up to now, I see from both the written law and the enforcement parties.  And the authorities now focus on more on the security issue in terms of the cross‑border data transfer integrating.

The last supplemental I want to provide is that besides those regulating the transfer of the personal information, in China, actually according to the data security law and the PIP, the Personal Information Protection law, no one can provide any information, any data locate in China for any foreign authority.  Or any foreign judicial authority.  Because that is totally prohibited.  And the law only provides one exception.  You have to obtain approval from the Chinese Government. 

I handled a number of cases in the past one year in terms of those international cases in which somebody have to provide information and data and evidence to the foreign authority.  That is very difficult to actually handle.  We spend a lot of time communicating with the Chinese Government and authorities.  Up until now, we did get one approval in those cases.  This is a challenge in the Chinese regime and authority have to solve in the coming months. 

So that would be supplementals.  Thank you, thank you for your attention. 

>> MODERATOR: Thank you very much.  Next, can we have Ms. Locknie Hsu.

>> Locknie Hsu: Can you hear me?  Hello from Singapore.  I'm happy to share my observations from my part of the world.  I'm in Singapore, and we're members of an organization that comprises 10 countries in this area.

I thought I would share the regional perspective from my neck of the woods for a change.  And my remarks will be in three parts.  I'm sorry I didn't prepare any slides.  I will try to go systematically so it will be a little bit clearer for everyone.

The first part of the remarks is to set the scene.  The southeast Asian organization comprises 10 countries and we're involved in regional integration, including economic integration.  With that, of course, there is a lot of attention in the facilitation of trade, movement of goods, services, and data to enable businesses to seamlessly carry out their operations. 

So in that context, you'll begin to appreciate the standards to facilitate data flows and observe personal data protection minimum requirements.  I will speak more about that in a moment.

The 10 countries come to decisions by consensus.  All 10 countries agree.  Some say this is slowing things down.  But in a way this builds the thrust, builds the confidence in decisions that are eventually reached, because all the countries eventually agree on the cause of action.  Including the area of data management, data governance, principles and so on.

Also quite common is collaboration.  This will feature a lot in what I talk about in the next part.  Because we're very diverse, we have different legal systems, we have developed and developing less developed countries.  It is a very diverse set of countries.  And the laws differ a lot.

In terms of data governance, e‑commerce laws, electronic signature, authentication, legislation, so on, we are also at different levels of adoption of experience and so on. 

There is also need in Asia to promote or rather help fill the gap in digital capabilities, because we have a range of economic capabilities in the different countries, which vary a lot. 

So mindful of that background, I will then speak therefore, in the second part of what I want to mention about the kinds of instruments that are used in Asia to manage data governance or data ‑‑ because the laws of the 10 countries are quite diverse and different, it is not an objective to make everybody's laws the same.

Rather, I think what I observe is through a number of legal and soft law instruments, Asia has been involving a set of principles, a set of frameworks, and a set of very useful tools to enable data flows to be smoother, to be facilitated. 

For example, if we look at document called Asian data management framework, there is an Asian cross‑border flows mechanism.  There are two tools being developed.  The first is the Asian cross‑border contractual clauses for data to be transferred between controllers and processes in different countries.  You might wonder, why there are model contract clauses?  This is to help the Region have minimal contractual clauses companies can decide whether to adopt or not.  If they adopt, it is a standard template set out for them.  And covers most of the minimum expectations of data protection, transfer and so on.  That is one tool. 

The second tool that Asia is right now developing ‑‑ I don't have a lot of details because they're still working on it is the Asia certificate for cross‑border flows.  I think that this certification will draw inspiration from the A‑Pac certification model.  A‑Pac comprises 21 countries, economies.  And the certification system in A‑Pac, if the Asia system is modelled on that, I'm guessing, will allow entities in countries to be certified as being adhering to certain important data governance principles so they can transfer data more easily across borders.  The advantage is if you are a certified enterprise or company, you are basically recognized as having a set of good practices for data protection, therefore the transfers are recognized. 

So this is some of the tools that Asia as a Region has developed.  There is a lot more.  I want to touch on one more instrument, which is a legal instrument this time.  The Asia e‑commerce agreement that came into force about a year ago.  The Asia e‑commerce agreement covers a range of digital economy issues, including data, localization, transfer of data, so on. 

So I can speak more about this agreement later during the roundtable.  I would like to just leave it at that and mention that there is this agreement.  Asia also has free trade agreements with other trade partners.  I think in the previous speakers' presentations, the RECP was mentioned.  Asia is indeed part of the RECP.  That has an e‑commerce chapter that contains data, transfer data flow provisions, that we can talk about later as well.  The last point I want to make or point I want to mention is against the backdrop of Asia's context and types of instruments that Asia has been developing, Asia is very mindful of other related issues such as consumer protection, of which data and personal data privacy protection is a part of it.

So it is not just a simple data issue.  It is data and also there is another layer of concerns.  Consumer protection issues.  And also cybersecurity issues, of course, in which data can be stolen, hacked and distributed online, et cetera.  These are all related concerns.  And just to set the scene and provide the broader context.

So as mentioned, I can speak more later.  But I will leave it at that for now.  Thank you very much.

>> MODERATOR: Thank you very much.  Professor Rolf Weber.  Do we have him up? 

>> Rolf Weber: Good afternoon, can you hear me? 


>> Rolf Weber: Yes, I am supposed to give a perspective perhaps exclusively of the European Union.  I would like to start at a little bit higher level, which we have not yet touched upon.  If I say the sentence, cross‑border data flows should be legal, free, and secure, I guess that everybody would in fact agree to this sentence.  And from a global perspective, we should have more rules on a global level.  Insofar I just make this as a general remark and possibly we can come back to this remark later during the roundtable.  WTO has been implemented at a time when digital services were at an infancy stage.  So we don't really have good legal rules which would apply in respect of the cross‑border data flows on a global level.  The classification is completely outdated.

I think there is really a need that the efforts which have been initiated, some five years ago in Buenos Aires to agree on other controls is imminent.

Coming to the European perspective, I think I need to distinguish, we do have the European Union.  And within the 27 Member States of the European Union, cross‑border data flows is not really restricted or only restricted to a lot of minimal extent.  Since it is the practice of the European Union to have free and liberal and open space for businesses and for Civil Society.

At least this was the concept some 30, 40 years ago.  However, we do have now, if I may say so, a special backlashing as the European Union has implemented strict rules on data protection and general data protection regulation which is in force since May of 2018. 

This leads to an important distinction between personal and nonpersonal data.  This has already been mentioned in interventions before.  As far as nonpersonal data is concerned, it remains with my statement that in principle, we do not have many impediments to cross‑border data flows.  As far as personal data are concerned, however, obviously, cross‑border data flows is subject to compliance with relatively strict rules. 

And we have seen in the past that the European Court of Justice is very strict on this compliance issues, and in particular in two cases, relating to cross‑border data flows from EU to United States.  European Court of Justice has expressed the opinion that the precautionary measures contained in the legal documents would not be sufficient.  And that in principle, cross‑border data flows from EU to U.S. would not be legal, except on the ‑‑ some very specific circumstances.

So all of a sudden, we have a new element in the discussions.  Of course, we can say that the general data protection regulation has become a little bit deflected for data protection laws.  At least in the western hemispheres.  States in the United States are partly copying the rules of the GDPR, also some e‑session countries are quite close to European rules.  For example, the Hong Kong data protection ordinance is relatively close to the European rules.  With one exception.  The cross‑border data provision of the AU rules has not been implemented so far enforced in Hong Kong.

As far as cybersecurity is concerned, which is an impediment to the free cross‑border flow of data, again, we have not been successful in implementing international or global rules.  The U.N. group of Governmental experts has issued five reports, but the results have been minimal.  There is a new understanding of the open‑ended global Governmental experts, which dates back to spring 2021.  But maybe due to the environment, the efforts have not really been taken up. 

So we have to rely on the international rules.  Here we see some efforts in the European Union to harmonize national rules.  We do have a regulation on the security of important networking infrastructure.  We do have a cybersecurity strategy.  But to a very far extent, cybersecurity remains a national domain.  And overall, if I try to compare the European approach with the Chinese approach, which has been nicely presented before, I would say that the rules in European Union are less strict.  They are more open.  Notwithstanding some cybersecurity interests.  Of course, we have less, for example, data localization rules in Europe than for example, in China.

Obviously data also less rules than for example, in Russia.  And obviously data localization rules hamper the cross‑border data flows.  This brings me back to a final and very general remark.  I think you should not only look at the legal rules, but more generally also at policies.  If I would try to define globalization, I would probably distinguish between three different types of globalization.  Namely legal globalization concerns harmonization of national normative orders.  Or the implementation of collective bargaining rules.  I mentioned also WTO but preferential trade agreement that are going a little further.

In certain instances in particular, the free trade agreement between European Union and Singapore containing digital trade rules.

The second is the cultural organizations that relate to the issues many fold, social policies and prioritization that will reflects the existence of increased globalization of businesses and economic activities.  I just dropped this into the room.  But I do think that officials should not forget about the general aspects.  Thank you very much.

>> MODERATOR: Thank you very much, Professor Rolf Weber.

Ms. Kedia. 

>> MANSI KEDIA: I feel as I begin, that India is much more conservative that the countries and groups of countries we spoke about.  I mean, there has been a journey, in the first part of my comments, I focus on where India is and what that journey has been. 

In the second part what I think will be the way forward.  So India has seen a series of data localization norms that started very early on with the traditional Public Sector.  2013 and '14 onwards, there was a barrage of policies that came out, especially in financial and banking services sector on localizing data.

Which was followed by consultations and deliberations on a privacy bill.  And the first and second versions which had hard localization policies and requirements.

Something has changed.  We do have not even this last week, India announced the latest version of its privacy bill, which was the digital personal data protection bill.  That seems to have softened its stance on the data localization.  But it doesn't really spell out what is possible and not possible and what will be the principles.  But at least it has moved away from the need of localization or it seems so.

So once we have the details of the policies we will know.  But a lot of sectoral policies have continued to impose upon the businesses, the need to localize data.  This strong need for sovereign control of data is also reflected in India's position in several multilateral and bilateral positions.  For example, India opposed the free commerce.  We didn't sign the data free flow in 2019.

It also did not sign the OCD, the Budapest Convention on cybercrime.  And all of this just reflects that India is probably not going to walk away from the ‑‑ though it said recalling conditions but a multilateral agreement that have had a lot of components of the digital economy.  Those were not ‑‑ those ‑‑ because we walked out of the convention, those reflect that India hasn't made any international commitment through a multilateral arrangement on allowing free flow of data.  This is also reflected in its bilateral agreements it has with a few countries.  Some data shows that you know, of all the 16 recent trade agreements they have signed, only one that talks about data protection and one or two that talks about the free flow of data.  Those are also just language and not necessarily focusing on any commitment as is in the recent India UAE Treaty.  And India Australia agreement that was concluded.  Also there isn't a commitment on allowing free flow of data.

What we see is a softening of stance.  I will tell you where that is reflected.  It is much more conservative than what we heard from China or from the Asia countries and definitely from the EU and U.S.

So the softening of the stance is reflected in a recognition that cross‑border data flows have economic costs.  I think more than once, this has been said to the Government and there have been more than one report that has provided the sort of evidence to the Government that, you know, cross‑border data flows will help trade, will help the digital businesses.  Given the digital ambitions of the country, it is important for India to allow at least free flow of data with some safeguards.  I think that recognition has come.

However, the economic argument that the Government has made in favor of data localization is to say that, you know, we are ‑‑ that they're trying to fight what they call digital colonialism, because of the dominance of big data and monopolization that might take center stage in the days to come.

The other economic argument is also that data localization, if they localize data companies will be forced to set up data centers in India, there is more jobs, more infrastructure and more innovation which can lead to a domestically created digital economy and we won't be dependent so much on foreign companies for the digital services.

The second, which I think runs across the Board for all countries is the national security argument.  We do have national security concerns.  Even with our neighbors.  And therefore, it becomes important that, you know, that our localization requirements or at least some understanding of access to data in case of law enforcement incident.

Given the current mutual assistance Treaties doesn't seem to be working effectively.  And the types of cybercrimes are much more innovative using Cloud‑based instruments, that may not happen in their jurisdiction.

Both of the arguments are driving the condition.  There seems to be softening from the absolute hard position to one where they're looking for a middle part.

To the second part, where that middle part would lie, my suspicion is it that is definitely not going to be the absolute free flow model, which is in the U.S., where the data ownership is with private companies.  There is a sense of ‑‑ there is a sense that privacy is protected.  And there is no need for expressive regulation.  It probably will not follow the EU model that places privacy at its center.  While privacy is extremely important, one can imagine that in a country with this sort of digital coverage that we have, it is surprising that we still don't have a digital ‑‑ we don't have a privacy bill. 

So why privacy is going to be important, the data localization concern says or cross‑border data will have ‑‑ that will not be the central argument or ethos of cross‑border data flows as it is in the EU.

I think the way ‑‑ it is also probably not going to be one like Russia or China, but somewhere in the middle.  Some reflection of what India is thinking about is a proposal it recently made to the U.N. Ad Hoc Committee that supports international cybercrime saying they wanted a broader jurisdiction over citizen data.  So immaterial of where the citizens were transacting or where the data was stored or processed, India should have extraterritorial jurisdiction over that data. 

And that would, therefore, curb the concerns or curb the need to localize.  So is that a model that they could follow?  The other thing is also in terms of data sharing frameworks.  While Korea and Singapore, you know, even within the domestic models, they have involvement in the Private Sector.  But in India, the primary framework, which is the data empowerment and protection architecture is consider Public Sector led.  I think when we go in India is that the Government is not going to give up control.  But given the economic considerations of costs and the need for the digital businesses to allow movement of data, there might be a model that is going to be somewhere in the middle, where at best, we will see bilateral arrangements working out. 

Or bilateral informal arrangements working out or formal arrangements working out.  Or a model that they're going to be able to push at the global level, which would address their concerns about national security, primarily national security, and access to data in instances of cybercrime.

Let me stop here.  I'm happy to respond to more questions later.

>> MODERATOR: I'm very excited.  I want to see where the middle lies.  I think that will be fun to see.  Linda, since I didn't have your bio, would you introduce yourself as my co‑moderator? 

>> LINDA: I am Linda, a lawyer based in Kenya, I work at the lawyers’ group and we work on digital policy across the African continent.

>> MODERATOR: Linda and I will co‑moderate a roundtable and we will open for questions.  I want to appreciate the full room today on officially day one, actually day two for a few of us at the session.

I appreciate the enthusiasm for the important topic.  The first question to our group is ... we just heard quite a bit on the table setting exercise of how different parts of the country are looking at the importance of data flows as well as data localization.  And the challenge and opportunities of privacy for citizens as well as, you know, the interest of Government.

Can we look at what some of the cross‑border challenges are in these frameworks?  And as Ms. Mansi Kedia said there is somewhere in the middle for India, we know EU has a strong citizen driven directive.  And we heard what was going on in the Asian area.  Can you key up what you see between the different potentials. 

She was moving.  Ha‑ha.  So we're looking at multiple models in between the different, you know, continents.  We have seen how Asia is looking at, and the EU.  We don't have anybody representing the U.S. because they don't have a privacy law and they let all the information flow, I'll say that.

As the roundtable discussion, why don't we start with how you see the possibility of there being cooperation and collaboration.  And then where do we see the challenges? 

>> From my personal point of view, you know, even the U.S. and America has trans‑Atlanta privacy framework.  I think in some way, in China, the EU shares more commonalities than the U.S. and EU.

First, if you look at China's personal information prevention law, it mirrors the GDPR.  They take it seriously.  And therefore look at personal data protection.  The transborder data assessment, if you look at the framework I just introduced we can see a strong protection in terms of personal data as well.

So if the data process operators or processes have processed more than one hundred thousand, you know, to personal data one year's personal data accumulated.  And they have to pass security assessments to some extent and also to meet some requirement for the personal data protections.

So therefore, I think there is a convergence between the EU and China to some extent.  On the other hand, I think America, even towards America, feel more.  We look at America's submission to WTO.  In their submission they measure the privacy protections.

So we will see in the end, we probably will see even in India and Asian concerns we will see the privacy protection and criteria and the foundation for data export is no matter how strong to protect privacy to a varied degree between countries.

This is first thing that may happen.  Secondly, I think it is in terms of national security.  I think many countries have not only China and India, you know, and Asia and African countries also put national security as one of the preconditions, important exceptions in FTA as well.

But I think it is important divergence in how do we define the national security, whether EU has a different perception or conceptualization, with China and whether the conceptualization of the cybersecurity and national security in terms of trade agreements.  You know, it is not just cybersecurity or national security alone.  But actually in light of trade agreements how do we make it very clear, distinguish between what is legitimate national security concern in terms of trade agreement or digital trade?  What is legitimate among national security concerns.

That is divergent between different countries.  That is my take so far.  Thank you.

>> MODERATOR: Great, other panelists? 

Yes?  Dr. Locknie Hsu. 

>> Locknie Hsu: Did Mansi want to go first?  I will be quick.  Thank you.  I want to share a perspective that is slightly different.  If we put ourselves in the shoes of businesses, small and medium enterprises that are already struggling to make ends meet.  Finding the sweet spot in international rules is important in this exercise to be mindful of businesses' needs in compliance and understanding what the boundaries are and understanding how to navigate the rules and understanding what they can and can't do, so on.  I think that is an important factor in the conversation of finding the sweet spot of what the international, regional, or global rules might look like.

The second thought I had, listening to other observations was the use of the idea of comparability, in terms of data protection, in the GDPR, you have adequacy agreements, adequacy to see if the other jurisdiction has adequate protection equivalent to the EU GDPR.  We have provision section 26 that says if you export data out of Singapore, you have to ensure as an enterprise that protection on the other side will be comparable for what is provided for in Singapore.  That may not be by law.  That could be by contractual arrangement.  It gives businesses that flexibility. 

I think the comparability element can help bridge some of the gaps.

The third observation is right now, I think it is quite fragmented, depending on what issue we're talking about.  National laws are fragmented in terms of how to deal with data localization.  Some countries have the laws, some don't have the requirements.

Data transfer rules are different.  There is fragmentation.  I would venture to say among free trade agreement there is fragmentation because the positions defer.  I see Mansi nodding, maybe you can pick up there, Mansi.  Thank you. 

>> Mansi Kedia: Thank you.  I want to add while they're agreed upon there is no debate on why localize or why we need to localize.  That is sorted out.  Countries ‑‑ I mean the two reasons why they want to localize are probably this.  But I think protecting the privacy of the individuals, but I think we are not ‑‑ there is the technical issues related to in terms of the comparability that was talked about, the technical capacity and the politics of all of it. 

You know, sometimes when I was comparing India to all of the countries, I feel bad, you know, why are we so far behind?  What are we not able to do?  I think about it more, I feel that probably we are not ready.  You know, given the size of our economies and the strength of our institutions and we are probably not ready.  It is better to jump into these sorts of agreements when we know what to do.  So I mean, I can pontificate as a researcher, I'm sure if I am sitting in the Government, the decisions are harder to take.  Having said this, I feel that it is going to be a bit fragmented.  I don't see harm in it being fragmented for a few years until there is convergence on how every country is more or less looking at cross‑border data flows. 

So what I am trying to say is we shouldn't worry about the fragmentation at this point.  I feel each country will work out a way to get to this when they're ready. 

>> MODERATOR: Comments from the other two panelists? 

>> Rolf Weber: If I may, won't sentence, I think if we look at personal data and digital data and digital trade, good amount of data is nonpersonal.  We don't have the restrictions of privacy laws.  Digital trade could substantially be improved, if it would not build impediments as far as nonpersonal data is concerned. 

And secondly, just following the remark of Professor Locknie Hsu, we do have special instruments that can be applied if the equal level of protection should be achieved, in particular so‑called privacy harbor agreements that have not been successful between U.S. and EU.  Nevertheless, the instrument exists and could be applied.

Finally, some specific rules on data protection privacy are contained in preferential trade agreement or bilateral trade agreement as I mentioned, Singapore, EU, and agreements with Korea. 

>> Zhisong Deng: I am observing a big gap in China laws and other major prescription.  Generally speaking, China is quite strict in terms of the legislation of the data cross‑border data flows.  I mean, outbound data transfer.  If we compare China and EU, unlike GDPR, in China, there is fewer options for the outbound transfers like ‑‑ in the GDPR, the funding, (speaking softly, difficult to hear) it is not an actionable approach here in China.  And also, up until now, we don't have a wide list of countries.

Also if we compare China just standard contracts for the data exports with the SCC in the EU, those provisions in China's (?) much stricter.  So I think that I think China is the second economy in the world.  And also every year we export a lot of goods and services out of the country.  And I say we need more dialogues among those major jurisdictions.  To figure out how to promote free trade through more and those data in the transport. 

>> MODERATOR: Thank you.  Linda, as my co‑moderator, do you want to step in with comments about Africa?  Before we go to the next question? 

>> LINDA: I think I was going to make a comment on the, you know, what is coming out of the discussion, how I see this as, you know, intersect with what is happening across the continent.  Hilda from that is online.  I feel like I'm not the person to talk about this.  I know the African Union has great interventions that are happening now.

Just to talk about the sector specific decisions that have been happening, I should talk about trade.  Give me one minute.  I think as ‑‑ oh, my god!  Sorry.  (Chuckling).

I think as we talk about digital trade, Africa has a gentle framework on trade.  Which is the Africa free trade agreement that came into force in 2021 generally.  And from the discussion of the continental level has been the sector specific data policy, you know, framework, especially on data flow.  And two, I wanted to highlight the discussion that came, I think, from India about fragmentation versus harmonization.  And if you look at how Africa is structured, and the process of domestication, which is something that I think we are struggling within the continent, how do you domesticate, you know, even when you have laws that have been adopted.  At the African Union level we have had the convention since 2014 and we haven't got 15 States to ensure that this law actually comes into force in the African continent.

Yet the same countries are now adopting very specific data protection laws internally within the countries.  So I think that is a mismatch, especially around how do you get to agree?  This is a difference between GDPR for the 27 States in European that enjoy you know, sort of similar political conditions, compared to Africa, we have 55, and the different processes of domestication, of the data privacy rules.

The final point I would like to make would be the regional factor where you have Southern Africa, East Africa all having different approaches to data governance.  So you see a lot of modelled laws coming from the Southern Africa States, really coming up with digital policy frameworks, the digital economy frameworks that are really important.

And I think the other comment would be, on data centers, the requirements for data localization, when there is actually very little digital infrastructure to support data localization.  So you have a lot of data centers now, countries requiring data centers, local data centers for health data, and sometimes election data.  Yet the data centers are actually run by foreign big tech companies, that does not go over well.

I think finally on, you know, the power of big tech in Africa, compared to big tech elsewhere.  Europe has really developed, you know, policies for themselves that are strong.  Because they have come together.  You know, and so when big tech companies negotiating with Europe, they know we want the European market.  So then we will have, you know, greater, you know, we can negotiate with you on data policy issues.  That is not the same for Africa.  Because we don't enjoy the numbers to really come together and say we're one digital economy.  So maybe the discussions happening now on the digital single market can get us there in terms of having ‑‑ considering Africa is one data market.

And then, you know, getting us to negotiate on this specific front.  But the Africa digital free trade area, the discussions happening now on the additional protocol on e‑commerce, hopefully it will get us to better data flows.

There was a report launched yesterday by the Internet justice network on cross‑border data policy framework for Africa.  I think it really offers a good overview.  It is available on their website, if you want to download that. 

>> MODERATOR: Great.  I think I would go to the last question, if you look at the bottom and open it for questions to the group.  Because we're getting short on time. 

>> LINDA: That is fine, go ahead.

>> MODERATOR: That is for the roundtable discussion, what are the risks of not developing a nonnational approach would it lead to divide or would the bilateral trade agreements be enough to continue to use in both trade and digital sovereignty? 

>> Yik Chan Chin: My remark is ideally, we hope there is a minimal framework developed out of these discussions.  At the moment, WTO, there is slow progress in the WTO in terms of e‑commerce negotiation.  How long will it take to reach minimal agreements?  We don't know.  But I think there is progress.  At the same time, as we see, nothing more in the more regional free trade agreement and digital trade agreement, the recent New Zealand and they have the digital Treaty agreements.

It will be relevant in parallel with the WTO and other trade agreements.  And as other speaker just mentioned, there is also compatibility and magnetism and also mutual recognition agreement.  We can mutually recognize each country's regulations. 

So there is also compatibility mechanisms to help bridge the gaps.  The third one, that Professor Locknie Hsu mentioned, there is the soft flow approach.  It is a cold approach.

We can see, you know ‑‑ if there is no global agreement, which is not ideal situation, there is the co‑existence of different regional agreements and mechanisms.  We want a digital agreement at the global office.  Thank you.

>> MODERATOR: Others at the roundtable?  It will go well.

>> Mansi Kedia: If I can go? 

>> MODERATOR: Yes, please. 

>> Mansi Kedia: You know, I don't think anything will happen immediately as you said, it will take a while for any sort of coordinated response to come about.

But I think the broken system will work to help navigate the global digital economy until then.  It is not as if nothing will move that has been often more trade in the absence of the agreements. 

There are going to be several other policies that will need to be addressed to address the problem of the digital divide.  So while harmonization of cross‑border data flows is important, I don't think that until we reach the point of harmonization, it will completely breakdown digital economic engagement across different countries.

And in order to address the problem of the digital divides, which are likely to get magnified, given how different countries are moving at different speeds on different aspects of the digital economy, cross‑border data flows are not the only thing that can solve that problem.  It is in my opinion, it is one of the smaller issues to address in the divides problem.

>> Rolf Weber: I would like to respectfully disagree to a certain extent.  I think if you have a fragmented world, we charge businesses with the heavy administrative load.  Already now, if European company is active in different countries, some three, four, five people are needed to checkout which kind of privacy laws are applicable in these countries.

So I think minimum harmonization would certainly lower the administrative costs of internationally active entities. 

>> MODERATOR: Anyone else? 

>> Locknie Hsu: If I may jump in? 

>> MODERATOR: Yes, sure. 

>> Locknie Hsu: I am hearing Mansi, the fragmentation will go on indeed, there is trade cost and trade friction caused by rules that are disparate and fragmented and often, I think, even unclear.  And just as an example, because even within the trade agreements where you have data localization principles on rules.  There are exceptions.  And exceptions can be quite broadly worded.  In that, there is potential uncertainty as to when a country may pull the rip cord and say, well, I am going to as a measure under the exception of the trade agreement.

So there is a question mark in terms of what these exceptions scope should be, how to clarify what businesses need to know, what they can and cannot do as mentioned before. 

The other point about the digital divide, I want to mention an example from my Region where agreements have often transition periods for developing countries where developing countries have a bit more time in which to enact the privacy laws or to fulfill the transfer of data laws, required under such an agreement that they sign.  I think those are little tools within such agreements to help the developing countries in such trade agreements to try to manage and transition into the sort of new set of principles.  Thank you. 

>> Zhisong Deng: Without a common international approach, I am noticing three risks.  Number one, trade barriers.  This is where obstruct the communications in the years.  The second is localization and the requirements will increase the burden on the global enterprises.

Third is we lose the maturity of the digital economy enactment.  Although global Treaties are more helpful to soft the current dilemma of data flows.  It is difficult to reach such an agreement at the present. 

So I think we can start with reaching more bilateral or regional agreements.  So the co‑issue is that all the countries should respect the national and security interest of other countries and should not brought others from the global data flows.  Thank you. 

>> MODERATOR: Great.  Do we have any questions online? 

>> LINDA: Not yet.  I will comment about an international framework.  I think that there are different approaches on how we look at data governance.  I think early on in the conversation, there was, you know, in Europe the user is central in data protection.  We see, in my view, America is very company‑centered.  So you look at the continent like Africa where most of the data protection laws now are enacted post GDPR meet the GDPR like China you mentioned earlier.  Sometimes it didn't work because of the different context, different budgets, and different political structures.

So I think there is a need to look at this.  Different ways of looking at data governance and see where does the public interest lie, and where does also the national security lie.  Because that is what is coming out in a lot of data from Africa.  But you know, there is a national security and Government must still be in control.  How do we achieve data serenity without data localization.  And sort of balance tools and agree on that as we proceed to have the global conversations.  Because I think those differing points of view really have people in their own corners, deciding on their own data Government approaches. 

>> MODERATOR: Yes, a couple of people over here.  We start here and then you will be next.  Introduce yourself.  Yeah, go ahead.

>> ATTENDEE: I have a small inquiry.  I am from Nepal.  I was a small inquiry.  It was mentioned that China does the special agreement with the companies for the cross‑border data flows.  So since I was looking at a couple of areas on this issue.  I have concerns regarding our local context.  How will that solve multiple jurisdiction issue of the data protection? 

So the companies that is getting data depends on a difference jurisdiction.  And it is a different jurisdiction in China, how it is working.  It is interesting to get more explanation on this. 

>> Yik Chan Chin: In Chinese company how they get around the agreements? 

>> ATTENDEE: Not the Chinese companies, how they ‑‑

>> Yik Chan Chin: You are not asking me Chinese ‑‑ I understand your question.  Yeah, that is a big problem for company which if they are in multiple location and work difference jurisdiction.  As I said, you know, if the country is not a part of the FTA, free trade agreement, we don't have the original agreements, so your company is not renewed in the local regulations, and you have to comply in each jurisdiction individually.  That is just what all of the other speakers say.  That is ideally the regional or international agreement to reduce burdens of the companies.

Otherwise, you have to sign up like China and also European Union, and they have the contracts.  The sign up between the individual company to deal with the issues, according to the jurisdictions. 

>> MODERATOR: Next, introduce yourself.

>> ATTENDEE: Thank you, my name is angel I'm a Ph.D. candidate in China.  I'm doing research on data governance.  I appreciate the insight from the speakers.  From the perspective the Government, it is showing divergence and policy fragmentation on the data governance. 

I have a question regarding the perspective from the business sector.  So I wonder what is the role of the business sector?  For instance, the digital companies, their role in the national regulation making and also what's their role in the international data governance and corporations, this is in the digital economy.  The big digital company, they are gathering the data and use the data.  I guess they are a significant actor in the data governance cooperation.  Thank you. 

>> MODERATOR: Anybody want to comment on that comment?  (Chuckling).

>> Locknie Hsu: Please go ahead, Rob. 

>> Rolf Weber: I think at least in the western hemisphere, the business sector is involved in the preparation of the laws and has impact on the exact formulation of the legal provisions.  And apart from that, we do see many soft laws standardization in the western hemisphere, I really cannot speak in detail about East Asia.  I know for example, have seen already four years ago that Microsoft has developed a cybercrime convention proposal, something like that.  Since Microsoft has stated it is important to have global rules combatting cybercrime.

Finally, the whole efforts have come to almost a standstill because many Governments were relatively hesitant to follow a business oriented approach.  And maybe there are all good reasons to have some hesitations to accept the Microsoft proposal. 

I wanted to say it is the case that businesses are actively involved in the rule setting. 

>> MODERATOR: Great.  Ms. Mansi Kedia, you had your hand up? 

>> Mansi Kedia: I wanted to refer to a study we did in India.  We ran a survey across companies, multinational big companies, medium‑size companies, and small companies to get their reactions on India's current policies and cross‑border data flows.  This was mostly an exercise to look at the economic costs or opportunity costs of not having the uniform law, which I've been told, at least the opinion is it is necessary.  So what we found from the survey is that this is very ‑‑ the requirement for cross‑border data flows at least in India seem to be a sector specific issue.  This came for sectors, companies that belong to the communication services sector, financial services sector, seemed much more affected by the lack of harmonized laws or the restrictions on cross‑border data flows.

And these were also companies that were mostly large size, multinational corporations and not necessarily small or medium‑size businesses in the country.  Several other countries with digital models didn't necessarily worry too much about the data localization laws.

There was a balance of how companies were operating.  This is evidence of one survey.  I thought I would put it out to understand at least how businesses in India and enterprises across the Board are reacting to the Government's position on cross‑border data flows. 

>> MODERATOR: Thank you, Dr. Locknie Hsu, did you have a comment? 

>> Locknie Hsu: Yes, just a small one.  In relation to the role of the Private Sector, if we look at some of the recent agreements, the Private Sector is looked in, specifically.  So for example, the Asian agreement on e‑commerce, there is a provision on stakeholder engagement, which specifically mentions that the Asian Member States should regularly speak to stakeholders and engage them including Private Sector members and each Academia. 

So I think we are beginning to see that it is a recognition within the formal Treaty that this engagement with the Private Sector is very important.  Thank you. 

>> MODERATOR: Great.  A question over here? 

>> ATTENDEE: Thank you.  I'm Amad from University in France.  I would like just to touch on the issue of African continent free trade and totally marginalized.  Even in terms of comment and participation, because as our sister mentions, if we go and negotiate as local dimensions, we're not going to get anything.  We have to have a continental dimension to have our proper position.

Maybe not to restrict to the borders imposed by the colonial system, still on the continent.  And surprisingly, we are not learning from the experiences of the United States or European Union or other continental dimension like China or India when they go in terms of ‑‑ when they go for trade issues.

Secondly, on the issue of the data, as African continent itself, as long as it is fragmented, also it is poor in terms of data.  So there is nothing to protect as such.  They need to post the cross‑border cooperation in order to get reliable data to enable them to at least pause their development and integration is a global economy.  A lot needs to be done on that.  And I think it is just a comment.  The African continent free trade area is young.  It is starting as a guiding country.  But this need to be scaled up as much as possible.  And also, we need accelerators for that. 

Because if we follow the same pace, we're not going to reach anywhere.  This is crucial.  And now, the utilization of data information is in itself, an accelerator.  We have to take stock of that.  And work seriously on that.  And maybe enable these countries not to just be a receiver of in‑flow of goods and services.  But to at least add value to what they are exporting to the rest of the world.

At least promote the free flow of goods and services persons.  And maybe work more seriously on that.  This is just a comment.

>> MODERATOR: Thank you for your comment.  I was talking to Linda on this earlier.  I don't know if you have a position.  Are there bilaterals as you wait for the African Union to ratify? 

>> LINDA: We have the Africa policy framework that was endorsed by Heads of State this year in February 2022 that offers an additional sort of mechanism for that.  But also, we do have different African countries that have done trade agreements like the Malabo, I think USFTA that has provisions on digital trade and data flows.  I wanted to mention already about 33 African countries have passed data privacy laws.  And mentioned about 21 of them have provisions on cross‑border data flows.  And most of them are looking for one safeguard and most ever transactional.  Meanwhile, I don't see a continental framework that would provide this yet. 

So now even at this IGF by the parliamentarians are calling for the ratification of the Malabo convention as a sure step to get us there.  There is steps on what is ratifying ‑‑ calling on the African Union to ratify the convention.  There is too long and so much has changed.  Ratify won't make a difference.  Exchanged with COVID and technology as well.  Yeah.

>> MODERATOR: Great.  Any thoughts from our roundtable before we end the comments?  We'll let Linda have the comments.  Back of the room? 

>> Rolf Weber: Very short comment.  Africa is really front‑runner on mobile ‑‑ and pace insofar, as there is merits in the African conventions. 

>> MODERATOR: In the back of the room.  Identify yourself.

>> ATTENDEE: I am a Commissioner in South Africa.  I serve together with the Chair.  We have done some interesting work on our benchmarking with some countries with regards to the approach to achieve and to understand how adequacy of cross‑border data flows will work.

In Canada, it is up to the company or the controller to assist adequacy.  In South Africa, it is up to the company or the data controller to assist adequacy by taking the South African law and see if the country that you are going to transfer data to is adequate in terms of our law. 

In the U.K., they have developed tools but not the regulator, not the ICO, the Department of Sports and digital something has developed those tools. 

The question that I ask was that ‑‑ so ... is the approach now that you are going to assist adequacy in terms of your law?  The country that you are transferring to?  They said yes.  But in our situation, we are going to grant EU automatic adequacy.

The question then becomes in this fragmented approach, who is going to do what?  So ... the difficulty ‑‑ the ‑‑ because we have done work and asked and engaged.  It is a fragmented approach across the whole world.  So ... we shouldn't even bother just looking at South Africa because the whole world has this problem.

We should design tools that will become the standard because although Africa is trading to a certain extent among the different African countries, the volumes in the margin is not as big or high as opposed to Europe.

And when you look at the approach, you will then have to look at fulfilling the adequacy requirements for the ICO and U.K. and for Canadian law.  It just becomes a mess.  I will stop there.

>> MODERATOR: Any comments on it's a mess and we need to figure this out?  (Chuckling).

>> Yik Chan Chin: In response to that, if you look at the recent WTO negotiation, African Groups actually submitted proposition to the WTO.  I was surprised to know that the African continent is forming a free trade agreement.  In the submission to the WTO, they said they do not really welcome the free trade agreement in terms of transborder data flows.

They want a more self‑protective industry policy.  So I think the African country already realize that, you know?  So they already state their position quite clearly in the WTO agreements.

So I think that is my response.  It is up to the different countries or even the African Union, you know, to decide which way they will go forward.  If they want to join the international trade flows or want to have more self‑protective industry policy for their own continent or different countries in Africa.  I think, yeah.  Thank you.

>> MODERATOR: Great.  Any last comments from our panelists before we close out?  We have done it.  Okay.  I'm feeling ‑‑ wait one more comment over here on this side of the room. 

>> ATTENDEE: My name is Vincent, I'm from Rwanda.  I want to ask for clarification from the presenters.  Like Singapore, I know there have been dealing with data protection for a long time.  I want to know how they deal with the data control and persistence.  If they give them the license?  If they paid them for participating?  And also, I have another issue that I have some clarification. 

The issue is to Africa, African Union, in the convention.  As you said, it has been approved in 2014.  And (?) not ratified the convention.  We need a new one or two countries to go in force.  I'm asking if Africa if they have this advocacy to bring more Member States to ratify the convention, at least so Africa can start to use that tool?  And maybe the CFT in the future, we can sort out the issue of cross‑border.  Because I think it is an issue now.  And together we can sort out that issue in the future.  Thank you. 

>> MODERATOR: Okay.  We are out of time.  I want to thank everybody for being wonderful, patient discussant and audience on this very important topic.

     I think India might be right, we might end up somewhere in the middle.  We need to continue this discussion.  I want to applause everybody in the room for taking the time to discuss this.