IGF 2022 Day 4 Lightning Talk #54 Improving Data Protection Laws through Grassroots Learnings

The following are the outputs of the captioning taken during an IGF intervention. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid, but should not be treated as an authoritative record.



>> Hello.  Hello.

     >> VINO LUCERO:  Okay.  Please settle down.  Sorry to shock you a bit.  Okay.

     Good morning, everyone.  My name is Vino, and it is a welcome to me to welcome you to this Improving Data Protection Laws through Grassroots Trainings.

     So, today we will be hearing from six speakers from different countries, and they will be sharing about key learnings and inputs from their respective countries about how to improve eprotection policies.

     So, online participants and in‑person participants are encouraged later to share briefly insights, if you still have the time, but yeah, without further ado I want to introduce our first speaker, Santosh Sigdel from digital rights Nepal who will be sharing about key insights and learning from the Nepal situation.

     >> SANTOSH SIGDEL:  Go thank you, Vino.

     Good morning, everyone.  I'm Santosh Sigdel from digital rights Nepal.  I'm from Nepal and digital rights Nepal is established to promote digital rights, promote and protect digital rights.  We have been working with wide ranges of stakeholders, community member organization, and we have been getting support, technical support from organizing like media, the news and ICNL.

     Since last few years, data protection process in Nepal has increased.  So, has the issues regarding protection of data.  And well, there are few by the Government, like identity regarding, machine learning, driving car, machine learning passports, so these have established many digital systems, but there is no comprehensive data protection law.  We have individual privacy act, but that project covers the data protection aspect.

     So, alongside there is a huge kind of lack of coordination and collaboration among the Government agencies, so there are multiple databases, but they do not talk to each other.  There is no interoperability that also increases the risk of data protection, data abuse.

     And individual privacy act is there, but it doesn't talk about the data protection and the private companies.  There have been recent cases of data breaches by the private companies, and they are not held accountable.

     And there is a very low level of understanding among the stakeholders, including the community organization, and within the parliamentarians, also, they have ‑‑ this is a kind of new concept.  Data protection or the digital rights is a new concept among the stakeholders.

     Based on our learnings, experience, working with the different stakeholders, we have few recommendations, for the data protection policy making processes.

     The first is, because it starts with the public service delivery processes, and there is a federal country, there are 750 local Government in Nepal, and they are providing public services and at that time they are collecting obtaining data.  This would be accountable to protect public data.  So, citizen data.  That is the first recommendation.  It starts with the public service delivery point, US point.

     The second is the public data protection policy should be guided by the right approach.  So, there should be explicit mention of the rights of the data holder, the data subject, and at the same time, this should prioritize the community ONS or ONS capacity building processes also.  It is not only making laws to provide sanctions, but at the same time it has to work with the ONS and capacity building, as well.

     And third recommendation is, citizen or data subjects should have control over their data.  So, data control is very important.  What is made public and what is not made public, and at the same time personally identifiable information, EII, should not be made public unless it is required or in a very limited cases this would be made public.

     At the same ‑‑ on the recommendation is because public companies are very powerful actors and collect personal data all the time, so this would be also held accountable in the statutory manner, so apart from the due diligence, and there is an audit of every time their due diligence audit is there.

     And the last recommendation from our side is, this would be ‑‑ if there is a violation of data rights of the data, there should be a protection mechanism with remedy.  Without remedy, it is not going to work, so the data subject if their private data, personal data has been risked, there should be a remedy.

     So, these are the set of recommendations that we have collected.  It is not our recommendation, but this is based on our experience of working with a different stakeholder in Nepal.  I hope it will be useful for the data protection policy making processes.

     Thank you. 

     >> VINO LUCERO:  Thank you for that Santosh, we were given a data overview of protection in Nepal.  Thank you so much for the key learnings that you shared.

     From Nepal, let's go to the Philippines.  Our next speaker is ‑‑

     Hello, everyone.  In the Philippines it's been ten years already since we had Data Privacy Act, so that is 2012.  And after four years, in 2016, the national privacy commission was set up.  So, the national privacy commission is considered as the country's privacy regulator, but one of the key criticisms about the NPC, even after ten years, or let's say six years since they were established, no one has been fined or jailed for any of the violations of this law.

     In an article written in 2020, it is said thousands of companies and data breach ‑‑ sorry, thousands of complaints, I mean, and data preach notifications have been breached by the data commission over the past year 2016 to 2020.  Only a handful of these have known ou comes and none of which have involved serious consequences.

     It is also said that many cases have been marked as results already, mostly through mediation or settlements which may involve non‑disclosure agreements, hence the reason no information has been released about these cases.

     Obviously, the complaints filed to be NPC, the national privacy commission, have spiked up during the COVID‑19 pandemic with cases involving contact tracing apps and scans involving online lending applications.

     So, to give you an idea, these cases involve exposure of personal data of hundreds of thousands of Filipino consumers and it is Tau sins, but the main criticism directed towards the NPC, there seems to be no penalties, no arrests, no jail time for any of these companies and apps and individuals involved in any of these cases.  So, it gives the impression that companies that are engaged in these practices can actually get away with being negligent in their data protection practices in the country, but the thing is, if you are a regular Filipino, like me, who knows little about data privacy, you might actually get the impression that the NPC is doing its work, and it's doing a good job at it, but for data privacy and security professionals, this sheer lack of transparency and the lack of publicly available information on what they are doing makes it seem that companies can get away with any data privacy related violations.  So, this is something that is ironic, because the Data Privacy Act in the Philippines is actually touted as one of the most stringent privacy laws in the Pacific Region.  For us, and out of the box as a data literacy organization, we understand that one of the key gaps is really gilding the basic awareness of the Filipino public, and even the Filipino policymakers when it comes to the importance of data privacy.  Most especially since Philippines is considered as a social media crazy or savvy nation.

     That's it for me.  Thank you.

     >> VINO LUCERO:   Thank you so much for that, Marlin.  I agree the Data Privacy Act of 2012 in the Philippines is a good law by itself, but definitely needs improvement when it comes to implementation.

     From the Philippines, let's go next to Cambodia, let's call on Lidan Hop.

     >> Lidan:  So, good morning, everyone.  I'm Lidan, from CC Cambodia.  I would like to give you an overview of the data protection situation in Cambodia.

     Basically, in Cambodia, there is no comprehensive legislation yet that specifically address the issue of the data protection.  So, this means that the people in the cross-world community, they must experience or encounter a lot of problem in this regard, especially the personal information in the digital platform which should be considered by the Government in creating the data protection in Cambodia.

     So, far, the existing laws, such as Cambodia constitution, the society board, the E‑commerce law and the law that is setting about the protection of data personal data and personal information, but the terms seem very broad.

     So, what we have learned from the finding of the research that we have conducted in contribution to the engage media report on digital savvy and Internet freedom, most of the young people, especially the indigenous people, student, they very, very to the digital attack, and maybe because of the sufficient education or lack of social media and digital skill and lack of the risk of the problem that they could possibly encounter on Internet.

     So, in general, I think that it seems they don't care much about the personal data, and what is more concern right now in Cambodia is that during the absent of the data protection policy by the Government just at the national Internet gateway would pose a serious concern to what the data protection, because the national Internet gateway enables the Government appointed operator to monitor, to manage the Internet traffic in Cambodia.

     So, I think because of the establishments of the international gateway, how we can ensure that our personal information and data in a safe place and how to ensure that the Civil Society, the journalists, the human right defender, the national Internet gateway.

     So, I would like to conclude by saying that data protection policy is needed in our country, because it could protect people from, lake, personal data violation, and by establishing the law for the shape of the national security is important, but it has to be really balanced with the human rights.

     Also, what we have learned is we consider helpful to the policymakers and the Government is that we need to, like, track the data protection law with the mathematic consultation, as well as the Ministry of Education to integrate the data privacy education to the educational system so that people will realize how the data privacy and digital safety is important.

     So, thank you.

     >> VINO LUCERO:  Great.  Thank you so much for that, Lita.

     One thing that stood out for me would be maybe integrating the data protection law, some professions wherein you enable schools to contribute to education when it comes to Digital Rights and data protection and even training for Government officials, maybe.  Something to consider.

     Thank you so much for that, Lita.

     From Cambodia, let's jump to Sief Mohammed for society, peace, and Democracy will be sharing about key learnings from the Maldives experience.

     >> Sief:  Thank you so much.  I am Sief from the Maldives.  I represent society for peace and development.

     Unfortunately, Maldives is still in the process of drafting a privacy and personal data protection act.  North Pacific legislation has been adapted so far, however, there was a webinar on data protection and privacy for senior Government officials, and officers and journalists on November 2021.

     It was an initiative of Minister of environment climate change and technology of Maldives and the Pacific training center for ICT for development.  And this webinar also and to contribute to the country's effort in strengthening data protection and privacy at the national level.

     Here what we have to understand is when drafting the policy f we marginalize the grassroot colonies from a bigger strategy and if we fail to listen to their voices, we won't be able to see the positive results.  The essence of grassroots involvement is we are learning from this ordinary people as they always come together and address the issues in their communities and take action to advocate for change.

     So, the whole point here is that the voice should come from the bottom to the top, which means from the grassroot level to the policymakers so that we'll have bottom-up solutions for the grassroots.  And they will feel like they've been heard.

     Also, to improve and develop the grassroot communities, we must empower them to discuss their issues and those who are affected the most to have socially inclusive approach.

     Some key things we have noticed is the communities will be motivated more if we different them the opportunity to voice their perspective and to feel their involvement.

     And when we involve grassroot communities, we can identify their needs easily and we will be able to cater their needs and to deliver what they really need in the sense of data protection.

     And when we collaborate and listen to them, we'll be able to find out what they know more than we think that we know about them.  So, we might think that we know their needs, but we'll have to go over there and have a conversation with them to actually know what they want and what they know about the protections and their needs and everything about data protection and their privacy.

     Again, grassroot discussion is kind of a knowledge sharing.  We learn from them and they learn from us.  It's a two‑way communication, and it is important to spend more time on the ground seeking the local knowledge from the community members and others living and working in the community, as well.  We need to build a digital culture through the less accessibility people and more diversity and inclusion so that everyone can hear the knowledge and information and then they can share it with them and with us.

     Thank you. 

     >> VINO LUCERO:  Thank you so much for that, Siev.  So far, we have heard from representatives of countries that doesn't have a data protection policy yet from countries that have a data protection poll you will see or law that doesn't apply it or implement it well, so a lot of perspectives have been captured so far, but from Maldives, we will go next to Sri Lanka.

     So, next speaker is Bershatha will be sharing about the Sri Lanka grassroots communities. 

     Thank you, Vino, and good morning everyone.  I'm representing #generation, and we are a youth led organization in Sri Lanka, which works primarily around social media and the digital space.

     So, we are exclusively working on making sure that it is just inclusive in a safe environment and also focus on Digital Rights and safety for individuals who are using set of social media space.

     In terms of our work, we execute Sri Lanka's only monitoring process.  

Also, at the same time we focus on training and engaging with data in grassroots in areas to media, literacy, critical thinking, as well as on digital safety and digital rights for the citizens.

     In this scenario, they have been able to identify certain priorities or certain concerns that the Sri Lanka citizens have faced over the period of time.  Also, one thing to note is Sri Lanka is currently going through an economic and political crisis, and this too has a lot of reflection and sort of ripple effect on the activities that are going on in the digital space as well.

     At the same time, it's important to note that earlier this year we have passed a personal data protection act, however, it has not come into implementation as of yet so that's also something that is important for us to note.

     When it comes to main concerns that we have observed and also identified in this dialogues with the grassroots is, one is the existence of a lot of scams and fishing attacks around the country, and the current economic crisis we have seen an increase in these kind of scams, especially things that focus Visa, work entry into different countries, education opportunities, lotteries, things like that, to which many of the public fall prey to.

     The second aspect is a lot of sexual agenda‑based violence, including non‑consensually maturing, doxing, and other forms, which are creating a lot of privacy issues for many of the gender ‑‑ for women and LGBTQ community in the country.

     Will is also a widespread of fake accounts and bots who are also challenging the digital space a lot.

     In terms of because of this main issue, there are many more, but with these main issues, we would like to have a few proposals to the decision makers for here.

     So, one is we observe as a lack of understanding on why data is valuable, why it's important, as well as what Digital Rights are.  So, we would propose an extensive education and awareness program across the country for people to truly understand why it is important and what are the kind of areas that's important.

     And second is for ‑‑ because we already have the data protection policy or act, it has not been implemented so we would like to propose that act to be extensive Lou e and properly implemented with a lot of transparency, including the allocation of data protection officers, conduction of proper data impact as well as establishment of the data protection authority in Sri Lanka, and also a lot of these policies are sort of stagnant, but the digital space is something that is evolving and dynamic all the time.

     So, it's important that the digital protection policy are also dynamic and evolving with the issues.

     And we would also propose a multistakeholder platform which includes the Government, the state, the CSOs and other authorities who are able to contribute collectively and comprehensively to these conversations that are going on.

     Also, we hope that data, because data is so valuable, that it can be utilized for social good.  So, we hope there is a transparent and inclusive way that this data can be utilized in a good way.  So, this is our input from Sri Lanka. 

     So, thank you very much. 

     >> VINO LUCERO:  Thank you for sharing the learnings from the Sri Lanka communities.

     The last one would be from Indonesia.  Wahyudi Dyafar.

     >> WAHYUDI DYAFAR:  Thank you, Vino.

     Good morning, everyone, and thank you for having me.

     So, I am Wahyudi Dyafar.  I am representing Policy Russia and Advocacy, ELSAM from Indonesia.

     So, as Indonesian Government and parliament, last September, just based on the comprehensive data protection law as part of the process of the struggling to providing the new data protection law before Indonesia conducted of the G20 meeting on November last month.

     So, ELSAM has what is long experience to implement of the contract engagement with the parliament, so we provide to the parliament members, and also part lament expert part about how to formulation of the data protection policy or data protection legislation, including ELSAM privacy brief, recommendation, and also what is list of inventory problem as the requirement of the process of the deliberation of the data protection law in Indonesia.

     So, we have the close engagement with the parliament to what is the deliberation of the data protection.

     So, currently we are in the process formulation of the implementation regulation, so I think it is very important to endorse the transparency, accountability and also the participation in the process of the formulation of the implementation regulation to implement to effectiveness of the implementation of the data protection law, including we have two years transition period to establish of the data protection authority, because it is very important to effectiveness of the implementation of the law, because the data protection authority, it is what is established part of the Government institution, so I think it is the problem of the law, because the data protection law, it is applied to the private sectors, including the public entity, because it is refers to the protection regulation, but the establishment of the data protection authority, it is part of the Government institution, so we are worry it have the problem situation how to ‑‑ what is enforce the compliance from the data controller, especially from the public entity.

     The law also have the problem on the issue of the exemption, because it is too broad of the formulation of the article of the exemption in the name of the national security, in the name of what I said public services, et cetera, so I think we need more what is collaboration with all of the stakeholders who make sure that the strong and the detail of the regulation to implementing of the law, because we have of the major what is section some of the regulation of the data protection.

     In our research, we found more than 48 of the section legislation in Indonesia with the processing of the personal data, so I think we need what is more of collaboration with all of the stakeholders, including industrial to what is implementing of the law, including how to socialize into disseminating of the content of the law to the public, because it is the new issues for the public in Indonesia how to understanding about the privacy, as well as how to understand about the important see of the personal data, so I think we need of the long work to implementing including to what is more collaborate with all of the stakeholders.

     Thank you.  So, I think it is what is the situation and view from Indonesia. 

     >> VINO LUCERO:  Thank you so much for that, Wahyudi.

     Before we wrap up, we have a few seconds, if anyone wants to share from the audience, maybe 30 seconds, just to check.

     Okay.  Just quickly.  30 seconds.

     >> AUDIENCE:  Good morning, everyone.  My name is Estf.  I am from Ethiopia, Vice President for ‑‑ and I would like to share within a short period of time Government protection of data.

     We have the constitution.  In the contusion on article 26, the right to privacy of persons has been protected, therefore that right to privacy will not be trespassed by the Government.  It needs to be spelled out clearly in the laws.

     And another governing document that we have is civil code but no overarching law.  There is a draft proclamation prepared by the ministry of innovation, and it has been tabled to the parliament, and hopefully the parliament will enact that proclamation and governs how the data is protected and how it will be disclosed because of national security.

     And also, the court has decide ‑‑ gives different decisions, protection of data.  And federal Supreme Court has decided that without permission of the individual, his photos, his correspondence, his letters will not be disclosed.  If it's disclosed, then a person who is affected by the disclosure of that data can result to the court and he can get needed compensation.  Therefore, we don't have an overarching comprehensive law of data protection, but we have this draft proclamation and there are different provisions in different laws.  Hopefully strategy for 2025 is going to be one of the instrument, one of the strategy, and these laws are going to be enacted, it will help us to a digital society.

     Thank you. 

     >> VINO LUCERO:  Okay.  So, we have heard from several countries from South and Southeast Asia and Ethiopia about the data privacy situation and then some key learnings about what we can do to improve the protection of data privacy.

     Some common themes, just to quickly wrap this up, we heard that there is definitely desire for transparency in the creation of data protection policies and decision making around the topic of data protection.

     There is a need for accountability mechanisms for offenses against data privacy for the united people.

     No. 3, multistakeholder participation in the crafting, passage, and implementation of data protection policies, it is very important across countries.  So, definitely we should give that due attention.

     Lastly, investing on data privacy, education, and digital literacy.  I think that is also common theme across countries.

     So, with that being said, we hope that these learnings will be useful for all, and hopefully it will trigger questions and conversations as to how we can improve the protection of data privacy of our united people.

     Unfortunately, we don't have any more time, but let's continue the conversations after this session, just 30 minutes after, right, very quick.  You can definitely reach out to engage me and the featured speakers today to continue the conversations, and maybe engage in possible collaborations around the topic of data privacy.

     Thank you so much to all the speakers and who shared, thank you so much for Berhan Taye for doing the moderating online, and thank you all the participants online and in person for attending this session, and we hope to see you in the other sessions.

     Thank you so much.