IGF 2022 Day 2 WS #254 Trustworthy data flows: building towards common principles

The following are the outputs of the captioning taken during an IGF intervention. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid, but should not be treated as an authoritative record.



>> TIMEA SUTO: I believe we have everybody online, which is great and have almost everybody who wants to come in the room are in the room. Hopefully we're joined by some more audience members. Organizers and panelists are ready. Without further ado, I'm one of the organizers of this workshop from the International Chamber of Commerce to support the Information Society Initiative which is the hub for business input here at the IGF and other intergovernmental, international discussions on digital issues.

If you are looking to be in workshop #254 on Trustworthy Data Flows, you're in the right place. Conference Room number 3 and online. We have a nice and select panel with us. Quite a few experts and quite a big agenda to go through. So I will not take up much of your time. Just wanted to make sure that we're ready to kick off here in the room. With this, I will hand over the managing of the session to my colleague and dear friend, Makoto Yokozawa from Japan who's a senior research fellow at the Centre for International Economic Cooperation in Japan and is also our Ambassador to the Asia region from the International Chamber of Commerce Global Digital Academy Coalition. Mac, please take it away.

>> MAC YOKOZAWA: Thanks, Timea. This is a great opportunity. We're talking about including the data flows and government access to data held by the private sector which is a relatively new issue. That many of us are facing recently. I hope this session will have a great impact in the policymaking process and protect our business as a business sector.

So thank you, everyone, for joining us today. And for time, I immediately start the beginning session and welcome session for you. And I will call the participants here today. We have basically seven speakers. Seven panelists here. But, unfortunately, Mr. Yoichi Iida will join us today later. So we'll begin with Mr. Peter Farrell who is a Global Privacy Director at Unilever. And Mr. Gregory Nojeim ‑‑ apologize if I don't pronounce very nicely. But he is a Senior Director at the Security and Surveillance Project at the Centre of Democracy and Technology. Also Maarit Palovirta. She's Director at the European Telecommunications Network Operators' Association, ETNO. The sixth person is Mr. David Pendle from Microsoft. International security, privacy, and strategy. And Ms. Carolina Rossini, Co‑founder and Director of Research and Datasphere Initiative. And finally, Ms. Miriam Wimmer, Director at the Brazilian Data Protection Authority.

So we have this very distinguished panelists here. And we are very happy to start our first session which is introduction of topics. And I will firstly invite Ms. Carolina Rossini and then Mr. David Pendle after her. And we will set the scenes for the discussion. And the role on the importance of the data and cross‑border data flows in today's economies. And as you might know, the data‑free flow of mistrust is just something that we are very much taking care of in the G7, G20. In these IGF sessions, we have many opportunity to talk about data flow.

So we are very happy to talk about that. Including how the business sectors and the governments and Civil Societies can take a role in this very important role.

So I would like to give floor to Ms. Carolina Rossini and she will talk ‑‑ I hope she will talk to us about the role, functions, and value of data in today's economy and the societies.

So, Carolina, please take the floor.

>> CAROLINA ROSSINI: Thank you so much, Mac. Thank you so much to all the ICC teams who have put this panel together. It's really interesting to join you today and discuss data flow and also principles around data flow.

Just yesterday, I was speaking in a related panel around Internet fragmentation and how data localization matters have been across ‑‑ a core element really leading to a lot of fragmentation of the Internet which was born to support free data flows.

Of course, coming from a Civil Society background, we like to use the word, trust, but we also like even more to use the phrase, rights respecting.

But let me just give a step back and introduce the Datasphere Initiative. The Datasphere Initiative is a non‑profit organisation. We are operating, and our mission is to work responsibly, log the value of data for all. We do that through a series of activities, partnerships, and (?)

But talking a little bit about the value of data, it's interesting to see that there are different measures out there, but we know that this current century is the century of data. Is the century that we try to understand and measure and benefit from the data economy.

And digital data has a unique property. As you all know. And we map that in our report we published last year that I think is still really relevant to understand this context that's called We Need to Talk about Data. In that report, we discussed issues between free‑flow of data with trusts and rights‑respecting on one side and the issues of data sub‑right.

Data, right now, we have lots out there and measures. In terms of sheer volume, data produced worldwide by 2025, and that's just one example of a statistic, is expected to hit 175 terabytes, right, which is something almost incomprehensible. So if you put all that data in the CDs that we used to have when we were a little bit younger, that chain of CDs would circle the Earth over 200 times. So it's very interesting to measure that in a way that we see physically how that, all that data, get expressed nowadays.

Of course, not only about personal data. It's also about nonpersonal data. If you think about the Internet of things, agriculture, health, manufacturing, environment, and transportation, which are all data that without access to the data and a trustworthy access and rights‑respecting access, none of the Sustainable Development Goals could be accomplished. Right? Both if you think about data as a core information or a statistical data to support policymaking. But actually to improve all the economic sectors and collectively fight global challenge such as global climate change and so far, so on. It's interesting to see how even today it's so hard to bring COVID data together to do research. And to track the effectiveness of treatments and vaccines. So far and so on.

When I say let's understand why data is unique, I have a couple of messages here. Then I can wrap up. Be aware of analogies when devising policies to access data. Especially data carried by the private sector. There are knowledges everywhere. Data is the new currency. We've heard that. Even while these analogies might be useful to start approaching unfamiliar situations, we cannot take them too literally to make real policy choices. We need to understand what data is really about. How it behaves. How it affects people. How it impacts business. Right? How it impacts our ability to exercise our human rights, civil rights, in some countries.

The world of data is growing and diverse. Prone to overlapping modes of classification. And we see this complexity not only on the increasing number of norms, hard law norms on data from trade to privacy issues. But also in the ever‑expanding number of organisations working around the issues of data governance, for example.

Another resource I want to share is our Data Governance Atlas where we mapped almost 300 organisations working this space. In a more holistic manner that goes beyond, for example, privacy and cybersecurity which are, of course, core for our discussion today.

And data has initial properties, right? Data is different from goods and services. Resources which can be combined in numerous value chains without being depleted.

And location and storage and processing is not all that matters. Although, usually the one where so much debate revolves around. We'll discuss a lot of principles today exactly with this issue. Where data is being processed and stored. It should not be the focus. Right? There's even more proof nowadays that a lot of data localization and reputation is not only bad for cybersecurity and data security but actually it's bad for the planet.

So I'm going to stop here for my contribution. I'm sure we can discuss some of these aspects more. And thank you.

>> MAC YOKOZAWA: Thank you, Carolina. That's wonderful to introduce our thoughts. And you mentioned about interpersonal data and human rights and norms. That's a very, very important thing. I will ‑‑ I hope we will touch upon later in discussions as well.

So, okay, so let's move on to the next, the second panelist who is Mr. David Pendle from Microsoft. I hope we can hear from him about trust, which is my favorite word, and trusting the data flows and what is eroding the trust.

So, David, you can please take the floor now.

>> DAVID PENDLE: Thank you, Mac. Hello, all. As Mac said, my name is David Pendle. I'm a Senior Attorney at Microsoft on the team that responds to government requests for data. The Law Enforcement and National Security Team. First, apologies for not being there in person. Sounds like quite the opportunity. I wish I were. Second, apologies I'm not having my video on. I'm sitting in Redmond, Washington, Microsoft's headquarters. We had snow and wind last night. The power was knocked out. I can promise you I'm sitting in a suit in the dark hoping that the power turns back on. And I'll show you on video if it does.

Cross‑border data transfers are at the heart of how the global digital economy functions today. Around the world, we're seeing governments erecting walls around data within their borders whether to ensure they have control over data in their jurisdictions or prevent other jurisdictions from claiming any authority over their data. We're seeing compelled data localization measures pop up. This is in context that the data is global, transcends borders. That fact is with data localization which effectively fragments the Internet and its benefits. This lack of trust in data flows does have pretty significant economic consequences. It clearly slows economic growth and reduces trade and impacts GDP. Companies and governments don't take advantage of the global digital economy, they have some consequences as well. Individuals are obviously less connected globally. Businesses may maintain data on premises using infrastructure that's more prone to service disruptions. More costly. Doesn't scale. More vulnerable to cyber-attacks. Even more vulnerable to unauthorized access from nation states.

Governments similarly risk falling behind. They can be slow to adopt new technologies supported by cross‑border data flows. And not take advantage of hyperscale cloud technology.

There's not one cause for the eroding trust in data flows. There's one cause that we seem to hear about more than others. That's government access to data. Specifically, cross‑border access. We at Microsoft hear these concerns in our conversations with customers. We see them reflected in restrictive regulatory guidance. And enforcement actions around the globe. The concerns are often focused on U.S. government access. That's what I spend much of my time working on at Microsoft. Specifically, laws such as CLOUD Act and FISA. Increasingly, there's recognition that many countries around the world have broad laws on paper that may be used to compel technology providers to produce certain customer data including personal data.

However, the fear here is largely theoretical based on our view, my view, on mistaken notions of mass or systemic surveillance across borders. The reality is much different. For example, in the enterprise context, over the last six years Microsoft provided the U.S. law enforcement with content data belonging to a non‑U.S.‑based enterprise just 12 times. That is against a period where we received 330,000 requests for customer data. So I would conclude this portion, my intervention, just by noting that while this risk of government access is quite low, the fear is very real. And it is driving both restrictive policies and business decisions globally. Thank you, again.

>> MAC YOKOZAWA: Well, thank you, Dave. That's a wonderful speech. Again, you talked about data government access and how the data flow is important for us. That's actually around the economy for the next decade and may be very, very essential resource which we have to take care of.

You touched on government access as well which is what we are talking about in the next session. It's very good demographics of what is the issue, real issue in government access.

In my mind, the government access is a balancing issue between the who will take the primary role in data governance and some country is thinking the country and government is the primary stakeholders in governing the data governance.

And in most of the countries or economies, we think it's a private sector and data subject who can take the primary control of the data governance.

So this is very difficult but fundamental debates here we can see. So we will talk about that later in the second session.

So, thank you, you two, Carolina and David. And you can join in just raising the flags to speak at any time.

So, okay. So thank you. That is quite nice. A ten‑minute discussion about what is the data flow and how it is important for us.

So we will move on to part two of this session. And we will take 20 minutes to ‑‑ including the four speakers from the panelists, distinguished panelists, and starting with Mr. Peter Farrell who is a Global Privacy Director at the Unilever. He will speak about the ICC paper. Maybe this is the first white paper, government access held in the private sector. And this is very important. And we talked about it, the data flows and what is the good governance principles in thinking about this issue.

So, Peter, please take the floor.

>> PETER FARRELL: Thank you. Thank you, Mac. I'll just put my camera on. I think it may be on now. Yeah. I think it is. Yeah. I think, yeah, the reasons for public principles of trusted government access to personal data from business perspective is that it makes a lot of sense for business to have some kind of certainty from governments in terms of what principles they are going to sign up to so we can be certain that there is a level of trusted access to data from the governments in those countries and we are able to transfer our data freely to countries that sign up to these trusted government access ‑‑ principles on trusted government access to personal data.

I think if we go to the slides on this ‑‑ yeah. Great. Excellent. So the first ‑‑ we've got eight, in effect, eight principles that we've come up with. The first one is the legal basis for the transfer. And we think that there should be international agreements. I guess this is a multilateral approach. So that we have across all of the different laws and regulatories that countries are putting into. Some kind of common laws and agreements that will allow for government access to personal data to be very clear.

And that's really important in terms of getting some kind of certainty, again, that we have got a clear and comprehensive legal basis for access across multiple jurisdictions.

And really, a lot of this is I think was mentioned previously is basically trends related. In terms of the legitimate and proportionate aims for access to that data or public data by governments. And we want there to be a principle that the purpose and the reach of government access laws should be proportionate to meet the defined public safety and national security needs. And authorities should not be employed to commercial advantage or data held by foreign governments or the public sector.

And we also want to ensure that the authorities will have safeguards in place to pivot unfair and discriminatory treatment.

So if we start to get those legitimate aims, that's what gets us around one of the key issues of necessity and proportionality of government access to data that's raised by the case.

The laws that we obviously, we want to make sure that the access to that data is restricted so that in is necessary and proportionate to the degree of infringement of people's privacy rights, is proportionate to what they're actually trying to achieve in access to that data. So this should be in most cases some prior judicial approval before significant interference by the government with personal data.

However, we accept that there are going to be some cases due to national security grounds they're going to need to access the data very quickly in certain situations. I guess some of the situations that we would accept is, for example, if there was an ongoing terrorist attack, yet, you would expect the authorities to be very quickly be able to use location data from telecommunication networks to identify where people are and that has been use from previous terrorist attacks. Accept some kind of proportionality there. There are specific things, actions need to take to protect citizens and national security without prior judicial approval.

So if we move on to the next slide ‑‑ can we move on to the next slide? Yeah. Thank you. So in terms of actually accessing the data, again, this comes into another TREMS thing. Although they may need to access data, there has to be an element of data minimization when accessing that data. Actually data that they access is proportionate to what they're trying to achieve. Also, they only keep that data within strict retention limits. Again, that also goes to some of the challenges, the Schrems case, which leads into a test.

Also, we have transparency in terms of demand for access. That basically means that the government's report in terms of ‑‑ are transparent ‑‑ and aggregate, access to personal data by the national security agencies and are transparent about when they are seeking access.

Now, obviously, there's going to be a certain amount of secrecy in terms of national security. But we do need to have more transparency from governments in terms of when they are accessing data for national security purposes and specifically bulk processing which is a key thing in Schrems, again, to limit that access to what is necessary to achieve those.

But then coming on to one of the very, very key elements of the Schrems case is independent oversight, access to it by the authorities. And this is something that is absolutely crucial. Whilst government has access, it should be subject to independent oversights by a separate judicial or authority or tribunal that is not appointed by the government. And has an element of independence. So, from the government.

So that is a very important principle in order to meet the requirements of upholding fundamental human rights.

Can we go to the next slide, please? Then in terms of the mechanisms for effective redress, that is something that we want to see those redress, those effective redresses mechanisms that can challenge unlawful and inappropriate demands in front of the authority. Again, this is one of the key areas in the proposal for the Executive Order from the Biden Administration in the U.S. where he's setting up an independent authority to look into any complaints of access by the U.S. security agencies to access to a person's data. An independent tribunal that can look into that and remedy any unlawful or disproportionate access to data.

Now, that is, obviously, something that is really important between U.S. and Europe. And it would be great if we can get some general principles that there are going to be those independent redress mechanisms across multilateral countries rather than just a bilateral arrangements between the EU and U.S. or UK and U.S. It's very important for companies that we have clarity on that for government signing up for those principles.

Then I think is the conflict of law in terms of multiple jurisdictions. We do have this conflict of law situation where at the moment, a lot of the data privacy legislation and government access to data legislation is extra territorial. Again, that is one of the challenges where there are these conflicts of law. And, frankly, systems don't have necessarily the rights of standing in foreign jurisdictions such as the U.S. That's one of the ‑‑ if you're not a U.S. system, you don't have the constitutional protection. In the U.S. We need to get where there are conflicts in law and difference of law in terms of enforcement. We need to have a framework where governments are signing up to international agreements that minimize those conflicts of law. Also, you obviously have a situation where a government could seek access extra territorially to data held by another country, another company that's operating in that jurisdiction but also based in the jurisdiction of the authority or country that is requesting that data.

So we need to have some clarity there in terms of for resolving those disputes so companies and individuals are not caught in the middle.

So that's a brief overview of the eight principles. But what I think is important for business, well, one of the challenges the business is having at the moment is we are being asked as businesses to actually determine all of these things in transfer impact assessments and make determinations as to whether or not countries have similar mechanisms to the eight principles in place so that we can determine whether there is equivalent protection between the country that is exporting the data and the country that is receiving the data. Or the company in those countries.

That is incredibly challenging for companies to do because it's incredibly challenging for governments to come up with those kind of assessments. It's incredibly challenging for regulators to come up with those kinds of assessments. When you're looking at adequacy assessments between the Europe and the U.S., it's taken about a year and a half of negotiations to get there. We got another six months to go.

So it is incredibly complex to make these assessments. And by asking companies to do these assessments on a case‑by‑case basis is incredibly bureaucratic. And the challenge with that is by asking companies to make these assessments, we're going to increase the friction and the free flow of data. That is going to impact trade and the digital economy.

So with that in mind, I'm going to pause for a moment and ask if anybody's got any questions or, perhaps, we can move on to the next speaker if there are not any.

>> MAC YOKOZAWA: Thank you, Peter. That was a wonderful introduction of the ICC white paper including the principles. The guidance for everyone to think about really. Not only the government access to data, and also the free flow of data, itself. And for your information, this is quite important, right. The government Japanese regulation in personal data protection now requires to explain data status of the government access to the companies where personal data will be transferred. So this is actually a new regulation in enterprises. In private sector. It's actually happening. So this is quite an improvement.

So thank you, Peter, again. We can move on to Gregory who can, I hope, who can dig a little bit deeper about this matter. Address government access matters in the private sector. So, Gregory, please take floor.

>> GREGORY NOJEIM: Thank you so much. I'm Greg Nojeim with the Centre for Democracy and Technology in Washington, D.C. We're a non‑profit organisation dedicated to protecting freedom on the Internet.

I think it's important to step back a little bit and to think about the processes that are in place for resolving what the rules ought to be on government access to data. Particularly in the cross‑border context.

We keep talking about data. What we are most concerned with is government access to personal data. To data that often contains the communications and very sensitive communications between two individuals. It's very easy to say, oh, we need to have a free flow of data across borders to facilitate economic growth and economic activity. That data is your conversation with your lover. It's your conversation with your children. It's sensitive financial information. It's very important that that data be protected against government access except in the extraordinary circumstances where it can be justified.

With respect to some of the processes under way to resolve what those rules ought to be, we're concerned that the OECD process, which is one among governments as opposed to being more multistakeholder, is going to result in a race to the bottom. Where countries agree to principles that either reflect what they already do or that could be interpreted to reflect what they already do. And that makes it so that if each country moves into that position, that negotiating position, then what you get is a lower common denominator. What everybody already does that they can agree to.

And I think that's a significant risk. And the reason I put into the materials for this programme the 13 Principles on the Application of Human Rights to Communication Surveillance is because that's an effort to kind of push back on that risk of a race to the bottom.

From 2012 through 2014, these principles were negotiated among a fairly large group of NGOs. And eventually signed on to by 600 organisations and 270,000 individuals around the world. I'm going to put a link to them in the chat right now.

When it comes to what these principles ought to require, I think that in many respects, they are consistent with what the ICC has put forward. But I want to drill down on a couple of them that I think are particularly important. The first is the rule of judicial authorities with respect to communication surveillance. It's important that the authorities have the ability to determine whether surveillance ought to occur in the first place with respect to a particular target. Some countries have judicial authorization, but authorization at the programatic level. As opposed to at the individualized level where there's a determination that the individual ‑‑ I'm sorry ‑‑ information to be collected through the surveillance either reflects a strong probability of crime or a strong probability of threats to national security.

And I think that's missing in a number of states' surveillance regimes.

Another aspect that I wanted to drill down on a little bit was the concept of transparency. There are two pieces to it. The first is reporting the numbers of surveillance demands and not hiding those numbers because the demands were based on national security concerns. Raw numbers, it seems, ought to be able to be reported without substantial risk to national security. Particularly when the numbers are high. That is ‑‑ when the numbers are very low, there is some risk. I have to acknowledge that. That there will be a revelation of an uptick that might give an adversary or a terrorist organisation information that could be used detrimentally to national security. But generally speaking, there should be the ability to publish these numbers.

The other aspect of transparency that I wanted to stress was user notification. In some countries, user notification of surveillance is unlawful. It's a crime. And I think the approach ought to be the opposite. And I think that international human rights law requires it to be the opposite. That user notification be standard and be required. It doesn't have to happen prior to the surveillance. Because that could thwart the aim of surveillance. But user notification when the surveillance is terminated, it's essential in order to exercise rights of redress. I think that concept is missing from some surveillance laws around the world.

Let me stop there. Those are the things I think that we need to focus on, particularly when we drill down. And I look forward to the discussion.

>> MAC YOKOZAWA: Thank you. Thank you, Greg. Actually, it is perfect. We can learn from you about the impact of this discussion. And how the principles is important. And, yes, transparency is one of the most important things for us. I agree. Totally agree with that.

So, okay. So I'm mindful of time. So maybe we have to move on to the next speaker, Ms. Miriam Wimmer. She will, again, dig on this issue, what is the impact of this agreement on principles of data protection authorities. So, Miriam, please take the floor.

>> MIRIAM WIMMER: Thank you very much, Mac. Thank you very much for inviting me to take part in this panel with such distinguished speakers. It's a huge pleasure to share this discussion with you guys.

And moving forward, I think previous speakers were talking a bit about the problems related to restriction of global data flows, fragmentation of the Internet. Peter gave a very nice introduction to the ICC paper on principles related to governmental access to data. I think it's important, you know, speaking from the perspective of a national data protection authority also to, perhaps, take a step back and examine why, in fact, countries do establish limits or conditions to international data transfers. In this sense, I think it's important to note that when we're discussing the processing of personal data, it's important to always take into account these two different aspects of what personal data protection is.

So on one hand, the economic aspects related to processing personal data. And I think it's very clear from previous speakers that it is super relevant to enable data to be shared in a responsible manner. To be used for public good. To be used for economic benefits. For competitiveness and so on.

On the other hand, also mentioned by the previous speaker, it's important to keep in mind when discussing personal data, we're discussing projections of a human personality. And in this sense, protection of personal data is a discussion strongly associated to human rights protection and informational self‑determination.

And think for this reason, when we're discussing limitations to free flow of data, they are also very complex regulations that establish conditions for data to be transferred overseas in order to enable this data to be protected regardless of where it is physically located.

I think this is a bit of the background for us to realize that there are many, many, many different approaches toward personal data protection. So here in Brazil, for instance, we have a very European approach. We have a comprehensive data protection law that applies to public and private sectors. We have a fundamental human right to privacy and personal data protection enshrined in our constitution. We also have an independent data protection authority and have commercial ties with countries who have different approaches. Sector‑specific approaches, for instance. Or consumer‑protection approaches. And also where rules and governmental access to data are different.

So in Brazil, usually, a court order is required for governmental access to data. Other countries have different rules and different procedures. And I think that when we discuss this context as mentioned by Greg, there are many concerns that disproportional governmental access to data especially under a broad umbrella of governmental surveillance and intelligence activities may violate these fundamental human rights of citizens related to personal data protection and privacy.

In this sense, I think Greg was very clear when he mentioned that also these principles, as we were discussing, such as appropriate safeguards, redress, transparency, are in themselves also very complex and need to be further fleshed out in order for us to be constructive and move forward.

And speaking of personal data protection, I think different countries have also adopted different mechanisms, different tools to enable data to be transferred with trust. As we have been speaking about. And in this sense, I think it's possible to identify, perhaps, two big groups of approaches. On one hand, the very traditional European approach. Based on adequacy decisions, standard contractual clauses, binding corporate rules. On the other hand, different approaches based on private sector voluntary compliance with seal certification, codes of conduct. In fact, it's very challenging for data protection authorities to navigate this very complex network of international data transfer mechanisms and to establish priorities considering their own specific circumstances, but also the specific risks that may be posed in different jurisdictions.

So to close these opening remarks, I think, perhaps, an important way forward is for us to discuss also regionally. So we have a number of different venues currently debating these issues. And we've spoken about the OECD. We've spoken about different approaches. We here in Latin America have Convention 108. We have the Global Privacy Assembly, for instance. And I think, perhaps, an important way forward is for us to discuss these commonalities between our different approaches regarding both substantive principles, for instance, data quality, purpose limitation, but also procedural principles. In this sense, there are a number of principles that are enshrined both in domestic legislations but also international frameworks regarding the right to access, the right to correction, the right to opposition, right to transparency, that may, perhaps, work as important steppingstones to further develop these principles related specifically to government access to data that were very nicely presented in the ICC paper.

>> MAC YOKOZAWA: Thank you, Miriam. That's great. And I totally agree with you saying about the contrast between the economic impact and also the human rights. We have to raise them both with us.

And also you have talked about the GDP of certification. Monitoring mechanisms. I know the Brazilian ‑‑ some of the Brazilian agencies are interested in joining the mechanism. So that is a great effort in expanding those circle where benefits free flow of data with trust. And I hope.

And I'm not denying GDPR, there is, again, very important, the series and the framework to have a united privacy protection mechanisms.

So, again, thank you very much.

And I will invite the last speaker, last panelist, but one who is (?) And now maybe Ms. Maarit Palovirta. Sorry. I can't ‑‑ my pronunciation is very bad. So she will talk about the means for the bilateral or multilateral agreements on data flows regarding this issue. And it's not only the government access but the cross‑border data flow, itself, I hope. So Maarit, please take the floor.

>> MAARIT PALOVIRTA: Yes. Thank you very much. Thank you. And apologies. Finnish is not the easiest language. My name is Maarit Palovirta from ETNO. So we represent the largest operators. Of course, if you think about it, operators are instrumental in all kinds of data transfers and, of course, also cross‑border data transfers. So the networks that we have, they are the channels, the physical channels for data.

And so when we talk about data flows across borders, I think that from our perspective, it is, of course, the government access to data is the key consideration. I'll come back to that. What is also important to understand that today the networks are very complex thing, actually. So we have new dynamics happening around the networks and the connectivity ecosystem such as the cloudification, virtualization of network. We have IoT. So devices being plugged into the networks. Et cetera. Et cetera. We're seeing it's no longer really only the operators who are responsible for the data, but increasingly, also, the vendors, different types of software companies potentially. Also cloud service providers. Cloud hyperscalers. Et cetera. Et cetera. When we're trying to secure our data, we need to look at the full ecosystem and developing the principles and different potential legal framings in accordance.

Now, then going to the government access to data. I'll, of course, talk a little bit from a European perspective because that's our main experience. But also then how that interrelates with different international regimes and also the different discussions that are ongoing at the moment.

So from European perspective, we have quite a, I think, solid legal framing on government access to data. So we have a long experience as operators working and cooperating with law enforcement and different judicial and competent authorities on access to data. And what typically happens, if authorities need access, so what typically happens is that operators receive an information request concerning certain lawful interception or provision of metadata or, perhaps, even blocking of certain websites. If there's some specific concern. But the requests comes to the operators and it's typically then issued by courts or judges. Or comes then from a law enforcement agency and other things.

So the process is fairly well streamlined and legally speaking, quite sound.

Then what might be interesting as well, operators, we take this very seriously. So operators, many telecom companies have actually established some voluntary standardized rules and procedures within the companies internally to ensure that compliance with the legal obligations is sound. But also then that the fundamental rights of citizens are protected so that we are not going too far, whether intended or unintendedly.

So actually some of the bigger operators even, they publish annual transparency reports with some information on the requests received from governments. So there's also a certain level of both transparency. So I think that if we go back to the principles that we just heard, and I think we by and large agree from our point of view as well, you know, proportionality, transparency, these are key things. I think the European legal framework, while there are always exceptions and maybe some loopholes. By and large, we're covering this quite well.

Now, what we are seeing then moving to the kind of the more international framing is that there is some, from our perspective, rather intrusive third‑country legislation that has raised some concerns with us in the past years. And just I think we already heard the U.S. CLOUD Act and also the China's Personal Information Protection Law. And while we start to then have, let's say in our case, the European framing and these other third‑country regulatory frameworks that seem to be sometimes in conflict, so we find ourselves as operators being caught in between different laws. And then the jurisprudence is not quite clear from our point of view.

And, of course, this is, you know, not made easier in Europe because while we have the legal framing on government access to data, but we also have the GDPR. The General Data Protection Regulation. And we have the justice jurisprudence. It becomes a very legal framing. The international dimension doesn't then necessarily provide always the legal certainty that private companies would ideally have.

And then, you know, taking this into the ‑‑ taking this further and thinking into the future, so the EU at the moment is also in the process of reinforcing different ‑‑ the policy framing and regulatory framing around data. And also cross‑border government access to data in particular terms. So we have a new piece of regulation coming on e‑evidence. We have European Data Act that's currently fresh and being discussed. So these are different things that even further then complicate I think the well‑intended policy framing. And what is maybe also interesting that while the policy is, of course, a key kind of, well, a common denominator and sound basis for different practices, but in Europe, we're also then in parallel building some voluntary kind of cooperative practices between the policymakers and industry based on technical solutions.

So trying to build some technical, if you like, best practices to limit foreign governments' access to data. And just to name a few, we have an industry coalition which is for the cloud. The cloud world. And then we have different certification schemes on cybersecurity, for example, which have a voluntary basis. Let's say, perhaps, reinforced from the soft and very practical perspective, the framing around access to data.

So then when we go back to thinking about any international agreements and I think there are quite a few under discussions, from our point of view, it's important that we would then also take into account the different regulatory and technical developments that may be happening not only in Europe but also, of course, in other parts of the world. And this is, of course, a very quite a hard task because this is a very complex piece of legislation. And they are not always aligned, of course, between different regions of the world.

And I also think that, okay, we have the European regulatory framing as one thing. Then also there are some very relevant international agreements as well that we are fully endorsing. So, for example, the Council of Europe Budapest Convention on Cybercrime that was recently updated. That's something we think that should be reserved as a benchmark. And any other further international agreements should add more clear value on these existing international agreements. They're not easy agreements to kind of agree on. So we should then always make sure we ask ourselves the question, well, are we now creating more value rather than just somehow complicating the legal framework not only for governments and jurisprudence and jurisprudence from a jurisprudence perspective but also from private actors who are trying to make sure that data moves from place A to place B in a safe and secure manner, of course. And with respect to all the privacy concerns and respect to rights of citizens.

So maybe I'll stop there for my perspective. Thank you very much.

>> MAC YOKOZAWA: Thank you, Maarit. That's quite wonderful. I would like to wrap up, but before wrapping up, I think Carolina will have to leave the room very shortly. So Carolina, if you are still there, maybe if you can spend the few minutes just answering to the next question which is what are the next steps for the future regarding this government access and cross‑border data flow, free flow of data? So, Maarit ‑‑ sorry, Carolina, if you are there, please take the floor.

>> CAROLINA ROSSINI: Yes, thank you, Mac. Thank you so much for all the colleagues and the commentary so far. I think that it was really interesting to hear both from the private sector in terms of the instances and the difficulties and how sensitive is the data we are all talking about. I think Greg's examples on that he brought up in the beginning of his speech are very clear to all of us on all that is. And to balance legitimate government access with rights. It's not something easy to do. But I think based on some of the ICC principles suggest, the paper, Timea shared the website. I'm sure she's sharing there with the folks that are attending the IGF this year. Can see those principles as very balanced principles in that regard. But each of those, some of the principles Greg mentioned around necessary and proportionate access which are principles that have been developed by large groups of Civil Society and other multistakeholder actors, endorsed by various other groups. So how can we balance this legitimate rights and interest I think is our challenge moving forward. I think transparency, as many of you have mentioned, is key. I think ensuring that the users know what is happening with their data and who's accessing the data and for what is key. And I think that finally, there are a lot of new technology out there like privacy‑enhancing technology that can help to support this process around necessary and proportionate access and also add more trust to the environment.

Of course, things are different, of course. That is not ideal for law enforcement. Law enforcement needs to actually know the real data and the individual data. But we need oversight there. Especially in countries that are less democratic. Less transparent. And that authorities have less oversight in terms of human rights.

So I'm just going to pause here and thank you, all, again, for your contributions. And call your attention to various links shared in the website ‑‑ in the chat.

>> MAC YOKOZAWA: Thank you, Carolina. And thank you for your insights. And, yes, I agree that privacy in technology is another approach of how we can tackle with the issues in general about the data free flow of trust. So thank you, again. And we'll see you, again, maybe in the same fora and opportunities. Thank you.

Yes, Mr. Yoichi Iida is coming in the room. I have noticed. So Iida‑san, you'll take the floor after this short roundtable. Maybe we have five speakers in line. We will be talking about ‑‑ I will rephrase a question for you, again. There is the next step and future action regarding the global uptick and implementation of the principle for data trust and government access. And also the data free flow with trust.

So I will go back to the originally scheduled order. So I will ask, start asking to Maarit again. So maybe in two or three minutes, mindful of time, so sorry about that. Maarit, if you have any insights in answering this question. What is the next step?

>> MAARIT PALOVIRTA: Yeah, looking into the future. I'll be very brief. I already talked a lot. So I think that's the principles that were outlined were very valid. We should then seek to find concrete places where we could elaborate on them. And I think that's from our point of view, as I already said, so they should build on some of the existing ‑‑ well, perhaps, policy framings. And these can be, of course, at regional level. Can be regulatory or also kind of market standards, if you like. But could be also some of those bilateral and multilateral frameworks that already exist. And to try and find if we could somehow build these principles into some of these frameworks.

And I think that also it shouldn't be forgotten that much progress can be made also outside the strict legal framings. So different types of cooperations and technical standards and agreements can be interesting especially if policymakers are part of this. Kind of the role of soft law as well could play a role. Thank you, I'll stop there.

>> MAC YOKOZAWA: Thank you, Maarit. That's great. I actually agree with you.

Next is Miriam if you have any thoughts, any insights about this question. The future of the ‑‑ yeah. Thanks.

>> MIRIAM WIMMER: I'll also be very brief and somewhat echo what MaariT was saying in the sense it's important for us to flesh out these principles and perhaps move beyond words and legal text and seek out more effective cooperation between countries and also data protection authorities. Perhaps, more practical, more operational cooperation taking into account not only these common principles that bind us but also common challenges we're facing. I think, in fact, when we seek to develop these interoperable policy frameworks that may enable cross‑border data flows, with trust, a key aspect to take into account is the need for multistakeholder engagement and need to keep in mind that we're discussing the protection of fundamental rights and liberties of citizens. So those are my closing remarks. Thank you.

>> MAC YOKOZAWA: Great. Thank you so much. Next, Greg, it you have any thoughts.

>> GREGORY NOJEIM: Yes. I think that we have to keep in mind that the principles that are adopted have to be specific enough to adequately explain how rights will be protected and yet flexible enough so they can be revisited as technology changes. Who'd have thought 20 years ago that location information would be so important and so revealing such that it ought to have, perhaps, higher protections than other types of metadata.

And have we gotten the standards right with respect to metadata given how it can now be analyzed and sliced and diced in different ways to draw intelligence from it.

And finally, brokers of data. They didn't exist when a lot of surveillance regimes were put in place. These brokers have the ability to collect data that governments couldn't. Because they don't have the legal authority to compel its disclosure. And now the brokers are selling the data to the governments without sometimes the legal process that would be involved if it was compelled.

So I think we have to have a framework that is flexible enough to account for new changes and that we're willing to revisit when those changes in technology occur.

>> MAC YOKOZAWA: Great point. Thank you for that. Yes, I agree. I am just imagining that the content computing will change the rule totally in the future. So the technology will be changing. And that's very important to think about. Thank you, again.

So, and next, Peter. Peter, please.

>> PETER FARRELL: Thanks. Yeah, I mean, I think we do need a multilateral approach to establish advance trust for data sharing and that we need governments and regulators to look at how we achieve that multilateral governance of the flow of data, trusted flow of data, across borders. Because I think when you're looking at it from a business perspective ‑‑ I totally accept that we've got to protect people's personal conversations and stop disproportionate access to personal data by governments. But what I can't see happening is that businesses, on their own, entering and doing transfer impact assessments, are going to be effective in maintaining that trusted free flow of data.

So for me, it's, yep, we've made some progress. Governments are continuing to make progress. But, actually, if I was going to be a little bit radical about this, like Schrems, I would say there's a lot of gaps and the people that are being asked to fill the gaps are not capable of filling them. So we need to have a multilateral government approach to solving this issue.

I accept that there are challenges in terms of data flows between democracies and data flows between companies, countries. But it is a big challenge. When you look at the amount of data that was exported in terms of data digitally‑enabled services from the U.S. exported to Europe, in 2019, that was 167 billion in digital services. And in the EU, exported 130 billion of the same services to the U.S. So this is a major, major sort of impact on trade, if we start restricting those data flows amongst democracies. And will have a similar impact if we start restricting those flows between U.S.‑China, Europe‑China, which was mentioned on this call. I don't think it was really explored in terms of what is the impact in terms of how are we going to maintain trusted free flows of personal data and data between countries that are already involved in massive digital trade and how are governments going address that. So I really implore governments to look at coming up with, you know, based on what the ICC's doing and the OECD and other organisations are coming up with trusted principles. And looking at working and trying to put those into some kind of framework that governments can sign up to. So that we have some kind of certainty on this point in terms of getting the balance right. I totally accept Greg's comments. Actually, you can do all that and get to the lowest common denominator. I think governments have to be careful how you avoid that lower common denominator. This is a really interesting discussion. But my key message is please don't ask businesses to pick up this. We need help from government. Thank you.

>> MAC YOKOZAWA: Thank you, Peter. That's wonderful. And I think my question, next question, should be like‑minded countries in talking about multilateral negotiation with a discussion about this issue. So, but it's not for now. Thank you.

So finally, Dave, you have the floor. About the future. Thanks.

>> DAVID PENDLE: Thanks, Mac. Absolutely agree in terms of what has been said in terms of looking ahead. There does seem to be a path forward with the OECD efforts. Rights‑respecting rule of law nations agreeing on basic safeguards that should apply, law enforcement, national security purposes, that would seem to lend itself to a framework that different states could sign up to. That means clearly the principles under discussion may need some expansion, clear authorities, independent oversight. Redress. These are all key. I agree with Greg and Carolina that transparency must extend beyond transparency reports to user notice. It's difficult, if not impossible, for an individual to assert their rights if they don't know their rights are at risk because they don't know their data was searched by a government.

At Microsoft, we believe governments should not attempt to provide data from third‑party providers replacing a technology company in the middle of nation state on nation state surveillance. We think that's something that's worthy of considering.

Also strongly agree with the ICC paper for elevating, resolving conflicts of law to its own principle. That mechanisms exist.

Fundamentally, we believe providers should never have to violate one country's laws to comply with another's. This is a problem as Peter said that can't be solved by the private sector. Governments have to fix it. There are different models. There's a bilateral approach that we've seen with the Data Access Agreement stemming from the CLOUD Act between the U.S. and UK and coming agreements with Australia and Canada within the U.S. They provide for cross‑border data requests that meet certain safeguards.

I think the OECD effort suggests a multilateral solution is possible and, ultimately, that's what will be needed. Thanks, Mac.

>> MAC YOKOZAWA: Okay. Thank you, Dave. You have wrapped up most of the things. And I will rule the job out as moderator. Thank you.

Now I'll finally invite Mr. Yoichi Iida who will come from the Ministry of Internal Affairs. Communication. He will be the keeper of the trusted government access, not only limited to that, but he is a proud keeper of the data free flow of trust. Also he is a chair of the OECD Committee on the Digital Economy Policies. And mostly importantly, he will be one of the organizers for next year's IGF in Japan. 2023. Also the G7 in Japan. So he has many, many moves.

And Ida‑san, I hope you have a sense of the discussion, how we have been discussing about the free flow of data. And also address the government access with distinguished panelists here. So we have talked many things. We have talked about the principles and how it will impact the governance of data and how it will benefit private sectors and how that will affect a good impact in the ‑‑ on the cross‑border data flows. Free flow of trust.

So Ida‑san, I'd like to hear from you. Your general thoughts about these questions. And what is a real issue right now and how you are planning to facilitate the discussion in the next year G7 and IGF. And also the future of a rule‑setting framework we have been discussing. And we very much appreciate your thoughts and insights. So, Ida‑san, you have the floor.

>> YOICHI IIDA: Okay. Thank you very much, Dr. Yokozawa, for the very much exaggerated kind introduction. And after listening to his introduction, I'm a little bit uncomfortable starting speaking. But very good afternoon, everybody. I'm sorry to come and join late. Because of the other session. And I missed the major part of the discussion already done by the great experts, my previous speakers.

So maybe my story is not very much consistent with the previous discussions. Please allow me.

Let me introduce what we have done over the last few years and what I'm thinking. I cannot predict, but what I am hoping to do next year.

As many of you, or maybe all of you know well, Japan proposed the concept of data free flow trust when we took the Presidency of G20 in 2019. But over the previous two years, we have been discussing free flow of information across borders. To the concept and purpose of the discussion is the same. We wanted to promote data flow, information flow, across borders to produce more economic growth, more social development, and more activities on Internet.

So the purpose was not to discuss and create regulation on data flow. But, of course, we need some room on data flow when we want people to join digital economy and make use of data without concern.

So we started discussing, you know, privacy protections, cybersecurity property, intellectual property protection, and other elements which may restrict data flow. And in the end, we found, you know, many countries are looking at different directions.

But at the same time, without rules, without ‑‑ I wouldn't say regulation ‑‑ but without some norms and rules, people cannot use data and digital technologies without concern and we need to strengthen trust of people on digital economy and digital technology.

But at the same time, these rules and norms or even regulation shouldn't prevent innovation to bring values to economy and society. So we recognize these two elements, trust and freedom on Internet, are not dichotomy. But these two elements should go hand in hand and work in a complementary way. That is the background we propose the discuss on data free flow trust. And we wanted to know how to build up the trust among people so that people can participate, engage, in the digital economy and make use of data and digital technology without concern to maximize the benefits from them.

And we, in the beginning of the discussion, we found a lot of differences in interpretation. And I believe there are still different interpretations and different emphasis on the concept. But still, I believe many countries, many government officials, many private sector stakeholders understand the importance of synergies between trust and freedom and synergies between some rules and enabling open environment.

And at OECD, the Committee on Digital Economy Policy, it has been actively discussing various elements, various aspects of digital economy. And including data flow. So they have been discussing data free flow trust among other very important elements. And among different aspects to promote data flow, they found government access to data held by private sector is very important element because we found some cases which are preventing, in fact, preventing data flow across oceans.

The work on government access was not to create a new rule or create new principles for OECD member countries. But the work was objected to collect current practices on government access to private data across member countries and extract the common element.

So this is a kind of fact finding and not rule making. But based on the result of the discussion, I think member countries recognized their broad range of common practices. At the same time, there are some gaps between countries.

So there are going to be some chances that governments may reconsider their practices and try to make their own regulations or their own ways of government access more harmonized to other member countries' practices.

We, Japan, and probably many other countries understand the rules and regulations not only on data flow but in digital technology or digital policy, in general, must be varied from country to country. Because these are rooted deeply in the social backgrounds, cultural backgrounds, or even historical backgrounds and economic development stages. And many other factors. So we never believe all countries can achieve the same regulation and the policy framework in digital. But we try to coordinate and we try to strengthen the interoperability between different frameworks, regulations.

So government access practice is one of the such practices. To strengthen the interoperability and promote harmonization. So that the people can transmit their personal data without concern to overseas to other countries, to other regions. Because their own personal data are not abused or accessed without legitimate reason by authorities in other countries.

So that's what we have done until now. And we are looking to hosting IGF next year and taking the Presidency of G7 next year. And we are hoping to create some synergy between discussions in governmental forum and IGF multistakeholder discussion.

And the discussion on data flow would be one of the most promising factors to share between different work streams and to create more robust outcomes from the discussions.

Even at G7 or G20, we are always trying to listen to multistakeholder voices and also in OECD. As ICC has been making tremendous contribution to business at OECD channel. And we are also trying to listen to business community or Civil Society when we discuss digital policy in G7.

So next year, we try to cover those topics not only in IGF but also the G7. And we try to synergize discussions between different work streams and probably we hope to build up more continuous and more open initiative to invite all those speakers from different communities to join together and discuss data flow and take actions to improve the data flow across borders by improving the interoperability in frameworks. Policy frameworks and regulations but also the practices or other elements which related to data flow and data management, data utilization.

So that's what we are trying to do next year. And we definitely need collaboration, support, and engagement from different community. Please contact us and join our discussion. We look forward to working together. Thank you very much.

>> MAC YOKOZAWA: Thank you so much. Yes. That is a great answer to the work that will be happening in the next year. And you have nicely described why the soft law approach or principles is very, very important to harmonize regulation and while expecting the diversity in the culture and the all many countries, many nations are facing differently. So thank you so much.

And I apologize. We don't have the time to have audience Q&A time. So, but firstly, I would like to wrap up the whole discussion in this session. And in a very, very short phrase is so we have nicely discussed about cross‑border data flow. And also the trust of the government access. How this is important to business. Not only for the business or the civil and also the more importantly, data subjects and people. Yes.

And this is very uniquely described as this is a rule setting for the government, itself. Most of the regulation is aiming toward the private sector. Or the Civil Society. Or the citizens, itself, themselves.

So the government access is very different. This is a regulation on regulatory makers. So this is a very difficult argument here in this room. But I personally found there's many coins who have both sides, one side and the other. And we have to take care of each side. It's how we can expect human rights versus economic improvement. Economic growth. And many things. Data utilization and the data protection is one of the things we have to take care.

So this is a very, very difficult challenge, but working on that with multistakeholder approach as Iida‑san and many other speakers have mentioned.

So just me, this is a wrap‑up. And Timea, if you think we have a few minutes to take a question & answer from the audience, or if not, we'll close this session. So Timea, please.

>> TIMEA SUTO: Thanks very much, Mike. I hope you can hear me. I negotiated two minutes with the kind sir has the door closed for others not to come in for the next session. I believe there was one question at the end of the room. She's about to take the floor.

>> AUDIENCE: Hi. Firstly, thank you so much for the amazing conversation. I come from Turkey's Internet Observatory. I think we're quite the description of what you have mentioned when it comes to surveillance technologies being used to push back the dissent.

What we encountered recently a law that gave obligations to Twitter and social media platforms to give data to the government when there's someone doing some panic.

What we see in this particular thing, the legislation that gives responsibility to Twitter can be used for expressing opposition and the thing is we don't have any mechanism, any power mechanism that would allow or prohibit Twitter from actually protecting us. We're in between the decision of Twitter and Turkish government. We can't see a legal framework that would support us in our effort for democracy. We're not a country like North Korea or China with the tech companies. So in this situation, what would be your recommendations about a good kind of legislation or mechanism that would prevent governments from spying on their citizens? Because just like you said, the IP information and all kinds of personal information will kind of allow people to go to jail if Twitter complies with certain governments. Thank you so much.

>> MAC YOKOZAWA: Thank you. If somebody wants to respond to this intervention, that's a great one. Thank you for your interventions. That's quite helpful for us.

So if not, please join me in thanking all the distinguished panelists and the audience participants and organizers, Timea and many and the UN tech supports. Thank you very much. And I hope keeping this momentum in the next opportunity including in Japan. So thank you, again. So have a nice day.

>> TIMEA SUTO: Thank you to you, Mike, everyone on the panel and online, everybody who joined us online and here in the room. Again, apologies for running out of time. We will take your question back and ask our speakers. Please use your contact details here with me. We'll try and get back to you. Thank you, everyone.

>> MAC YOKOZAWA: Yeah. Thank you.