IGF 2019 – Day 2 – Estrel Saal C – NRI Collaborative Session On Privacy Online

The following are the outputs of the real-time captioning taken during the Fourteenth Annual Meeting of the Internet Governance Forum (IGF) in Berlin, Germany, from 25 to 29 November 2019. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the event, but should not be treated as an authoritative record. 

***

 

>> MODERATOR: Good morning, everybody.  I will give you one more second to get situated here, as people are coming in it.

All right.  Well, welcome.  This is an NRI session.  I always found these to be really informative to hear what the other regions and nationals are up to.  So thank you all for being here this morning.  We're going to focus this one specifically on privacy best practices and hearing how others are managing the privacy issue.  This will be interesting dialogue.  I hope to learn ‑‑ if other people are doing a better job than some of the challenges we are having especially in the DNS space as we're working through that.

So welcome.  I'm just going to go ahead and introduce my co‑moderator here.  I'm Shane Tzu, I'm with the Internet Government Forum from the United States.

>> LUIS FERNANDO CASTRO: I'm Luis Fernando Castro from Brazil.  I'm a member of the CGIBR, part of the Brazilian steering Committee.

It is a pleasure to be with you, Shane.  We had a previous discussion in the previous session that I believe in a certain measure we will follow, go forward with the discussion.  We heard that as a common sense that countries, different countries must adopt legal frameworks for data protection, but as we heard before and we will hear again, certainly, we have different levels of implementation.  And one point, I would like to and in general is bring the experience of their countries and regions, but with very pragmatic approach.  We would appreciate to left hand of from ‑‑ appreciate to listen from you what you view as positive implementation.  And I would put a general question, if there is a real awareness of the citizens and companies about all these issues, well, I don't want to steal the time from everyone, and I give you back the word.

>> MODERATOR: So one of the things we will also be taking note of is the difference of how you manage what we consider privacy versus data protection.  Some people consider it the same thing.  We see a delineation of that in the United States.  I am interested to see how others see that.

The first question is to all the NRIs in the room, we want to talk about the privacy practices and data protection are working or reviewing at the national or regional level.  So who would like to be our opening discussion person?  Go ahead, please introduce yourself.

>> PANAMA:  I am Adiaso Branaugh, from Panama IGF.  Working with all the Central America regions, we are bridging brief information about all the region.  As for your question, in Panama, good practices in personal data protection and privacy are practically no existent.  Recently, we launched a study called who has your back, in first edition in Panama.

For example, in the field of telecommunication and telephone companies, few companies publish a data protection policy so that their clients know their rights.  So it is a narrow view for all citizens.

The same with the transparency report.  It is new in Panama and only one company practice it.  On the other hand nobody notify users when they receive the request to access user data.  Another good practice that companies have is the use of HTPS protocol to avoid information breaches through attacks or even robberies.

Some of also ‑‑ some of the companies in Panama also use guidelines for requesting personal information oriented through the authorities.  Something new.  And perhaps what I just mentioned in this your countries, in your countries, it is a general rule, however in Panama it is not.

The vast majority of companies that apply these practices are foreign capital.  So Panamanian companies really need to join the practices, maybe join all the good practices that foreign companies have.

If someone wants to know more about the result of the research, please tell me later.

>> MODERATOR: You said did you all come up with something called who has your back?

>> PANAMA:  Yeah.

>> MODERATOR: From the IGF perspective?

>> PANAMA:  Yeah.  We have some.

>> MODERATOR: If you would like to share, that would be great.  Who would like to go next?  Anyone?

>> I will go next.  Can we ask if the representative from France is here or not?

>> MODERATOR: Do I have a representative from France in the room?  It is a big building, maybe they will be here in a bit.

>> I wanted to see.

>> MODERATOR: Acknowledge them.  Anyone feel like being from France this morning?  Just checking.  I wouldn't mind being from France.

>> AUDIENCE: I'm happy to jump in, my name is Dustin Loop, I will represent what we discussed at IGF‑USA and the state and data protection for us.  Our situation is that right now, we do not have a comprehensive federal privacy or data protection law but instead have a variety of sector specific laws that cover things like healthcare or financial data specific protections for children and other things like that.  And in addition to these federal laws that cover different sectors, we have a growing, vibrant patchwork of state laws.

One good example of that is all 50 states plus the District of Columbia and several territories all have their own data breach notification laws.  And while, you know, generally they have the same goal in mind, it doesn't mean they're completely compatible.  It can create confusion for companies to comply, even when they intend to.  There may be discrepancies around what constitutes a breach.  What kind of data breach and the type of information involved requires you to disclose that there was the breach?  And how quickly do you have to report that?  And who do you report it to?

In some cases it is the state's Attorney General, some cases, it is a different branch of Government.  So this is just an example of one of the ways in which these ‑‑ while there is a patchwork, it leaves potential gaps as well as overlaps that can be difficult for compliance.

And speaking of compliance issues, we now live in a world with GDPR, which a lot of U.S. companies have to be aware of as well, based on serving customers in Europe and additionally, we have our own domestically grown state laws, the most notable one of which is coming out of California.

It goes into effect this coming January.  Although, because they're still figuring out what's actually in this bill, it won't actually be enforced until later in 2020.  But this combination of all of these different pressures has pushed the sentiment in the U.S. to a point where we kind of at least agree that we want to have a federal baseline privacy law, which is a kind of big step in terms of our current divisive political scenario.  So I think that is a positive step for us to move forward and eventually get to some sort of federal law.  But until we get there, there have been some steps of current regulatory agencies actually kind of entrenching and really moving forward with strong enforcement.  It was actually the day before we all gathered at the IGF‑USA to discuss this topic that our Federal Trade Commission announced its biggest ever fine of $5 billion against a major tech company, most of you probably know who that is.  And they also included different requirements for restructuring within the corporation in hopes of kind of building a culture of compliance to things that relate to privacy and data protection.

So right now, we kind of have a little bit more harm's based approach than a right's based approach that you will see in places like Europe.  It is yet to be seen how that will be incorporated into a federal baseline privacy law.  But we are at least at a point where we can agree that the majority of people want one.  And that's a good basis to hopefully get there some time in the near future.

>> MODERATOR: Great.  Other NRIs?  You want to introduce yourself?

>> NIGERIA: Thank you.  I'm Jimson Alucy.  You can say Nigeria IGF, West African IGF, highly involved in all of this.  I would just talk about progress in Nigeria.

>> MODERATOR: If you could pull your microphone just a little closer.  You are a little difficult to hear.  Thank you.

>> NIGERIA:  Yes, I would like to talk about progress in Nigeria when it comes to data protection and of course talking about data protection we are also talking about privacy of data and what our view.

Well, in the previous year, the national development ‑‑ national I.T. development agency of Nigeria has a mandate to come up with standards and regulations framework guiding ICT industry.  Nigeria came up with a framework, regulatory framework for data protection.  That is the very first time we have something to secure data of private citizens.  That is quite cross‑cutting.

We made provision for who to make responsible.  Make the delineation between the data controller, data owner, and data subject.  And for violations, for anyone processing about 10,000 data subjects, they have a penalty of 2% of the gross income or financial fine of about 10 million naira.  Which is around about say now, 30,000.  If it is data subject less than 10,000 subjects then we're looking at 1% penalty for violation or maybe two million naira.  So about $6,000.  Penalty.

>> MODERATOR: I'm sorry.  A follow‑up question.  Have you actually had penalties on anyone?  Is this a new guideline.

>> NIGERIA:  New guideline.  Kind of creating a lot of activities in the industry.  Creating serious awareness.  At this point, the contribution of ICT to GDP is about 10.8%.  It is a lot of breaches and handling of citizen data.  But this time around, there is a lot of jobs coming around that new development.  We have data compliance agents appointed to help companies to become compliant.  So there is a serious issue or serious discussion about the need to guard citizen data.  Security comes into play.  And also concern about breaches and what have you.

In Kenya, Kenya came up with the act the digital protection act.  I think as recent as two weeks ago, thereabout.  It has made provision for the appointment or setting of a commission, with the commissioner to be in charge to oversee the implementation of the act.  And of course, the same provision in terms of the data controller, the subject ‑‑ the data subject.  And penalty for breaches.

In it Kenya, that provision for jail time for five years.  Nigeria doesn't have that.  And also fine of up to I think five million shillings.  But the issue now from what I gathered is that there is some form of litigation on that act because citizens feel it is not independent enough, because it is still within the civil service framework and may be less concern that it could be compromised.  So the request or the desire is that it should be independent.  The commission should be an independent commission.  So that is the issue right now.  Maybe anyone from Kenya IGF they talk more about that.

But that is so far the activity going on within Nigeria.  It is positive, it is creating job, and it is really reflecting that policymakers are really becoming citizen focus.  Citizen centric.  Thank you.

>> MODERATOR: Thank you.  I didn't catch it.  Which Nigeria is ‑‑ in Nigeria which ministry is heading up?

>> NIGERIA:  Minister of Communication.  Minister of Communication, branded Ministry of Communication and digital economy is the main ministry.  As the agency responsible, that is national information technology development agency.  Yeah, I just heard a voice.  The chairperson of the convener of Nigeria is around.  Maria duma.  And also the Chair of the African IGF MAG.

>> MODERATOR: Welcome, Mary.

Other NRIs want to talk about if data protection ‑‑

>> CO‑MODERATOR:  From Brazil.

>> BRAZIL:  Good morning, everyone.  I would like to update you on the Brazilian conference regarding data protection.  We passed a law in general in 2008.  After long discussion, it was started in 2009, when the Brazilian steering Committee, IGR concluded on the Internet governance principles in Brazil.  The framework came in force in 2014.

Our new data protection law is very much inspired in GDPR in Europe.  However, there is concerning innovations that could undermine the trust there could be avoidance of application of the law.

There is high unsettling without the data protection authority in place.  In this situation, if you consider the tiny time frame to the data protection law entering in force in August 2020.

On the other hand, our Supreme Court are discussing the legal aspects of encryption.  The IGR believes that strong encryption is for secure flows on the Internet.  For users, and public entities.

In a public statement launched last week, before the IGF, the Brazilian Committee affirms the authority and free implementation of strong end‑to‑end encryption, and for the exercise of rights under the federal constitution and constitutional laws including the new data protection law.

And also reaffirms that an eventual implementation of privilege access mechanisms through two back doors or master switch may be ineffective in face of technical aspects impossible to overcome in order to obtain the original message.

Besides potentially posing great risks, widely creating security breaches that could be exploited for many issues proposed.  CGI propose that solid encryption mechanisms are fundamental to the systems to business secrecy and ensure no liability of network intermediaries and the functionality, security and stability of the Internet.

Finally, CGI also highlights that a potential choice for vulnerable encryption mechanisms would go against international best practice and severity effect the users and business on the Internet as well as could innovate, innovation and evidence of business models.

This public statement was launched last week, as I said.  It is available on our website.

And that discussion going side‑by‑side with the discussion on how to better instruct our new data protection authority, which is still unclear.

>> MODERATOR: This was last week?

Last week?

>> BRAZIL:  Yeah.

>> MODERATOR:  Look forward to next year.  You have been busy.  Other NRIs want to talk about privacy on their forum?  Sebastian.

>> SEBASTIAN:  Thank you.  Sebastian, IGF France.  I am here as a board member of APNIC and President of Internet Society, French chapter.

In France, privacy and data protection are key rights protected by an act of 1978 on the information technology that identifies civil liberties and completed by Europe and legislation in particular regulation as GDPR and convention from the area of Europe.

There is a general mission of informing individuals of their rights, according to them by French Data Protection Act protecting the right of citizens, regulating and sanctioning.  On January 21, this year, there is an action and GDPR and French law and issue Google fine of 50, 5‑0 euro based on complaints of NYOB, none of your business ‑‑ sorry.  And digital right activist (speaking non‑English language) in May 2018.  One of the key point of the decision is lack of transparency and varied consents for rights personalization.

The GDPR has introduced new mechanism in the field of data protection.  In France it is possible to sue for compensation.  Such collective action are ongoing in France.  One of the key challenge is to qualify harm related to the violation of the data protection rights.  Does the relation of the person's role, obligation by a data controller constitute irreparable damage?  How to constitute harm when it is asking for composition.  What is happening in cross border situation where the action meets the one‑stop shop mechanism?

I think it is ‑‑ what I can give it to you as IGF in France on this topic to give you landscape of the situation.

>> MODERATOR: Thank you.  We will move to the next question.

>> CO‑MODERATOR:  I would like to make a pragmatic question for all the panelists.  In terms of enforcement of capacity to play this right, to acute the road that we are discussing, what can a citizen and users really do?  And what role should Internet platforms play in defining the standards for privacy and data protection online?  Who can start?

>> MODERATOR: Go ahead, yeah.  Kick us off here.

>> NIGERIA:  Again, my name is Jimson Alovey.  I'm a member of the IGF‑SA.  It is as Internet governance legislation.  Highly interested in a number of the questions, indeed.  How can users, platform add value to this.  Talking about self‑governance.  In the data protection regulation I mention, there is a requirement that for every platform, for every Government virtual presence, there has to be a privacy policy.

Privacy policy, terms of condition for use.  That is important for a requirement.  Before now, it wasn't so.  You find about 99% of platforms in Nigeria, for example, they don't have a privacy policy or terms and conditions.  But now, as a requirement standard, and the agency responsible for providing kind of a guideline.  So that is good responses to that.

Government is leading the way.  Usually if Government does not lead, nothing really happens.  So with Government leading the way, with regard to the own President is having privacy policy and terms and conditions, that kind of creates good awareness for citizens to take note.  But as you know, it is quite challenging for users to read terms.  You know, you buy a new device.  You see a lot of directions there.  Many times you don't read it.  But it is recommended at least firstly you should read, be engaged.  Organization like ours, because I'm also a member of the Africa city alliance.  We also do some sort of housekeeping to ensuring best practices.

For a number of us in platform development, yes, it is basic that you must have this for every deliverable, we must make sure that we put industry framework in place to ensure that there is data compliance to regulation.

The agencies still need to do a lot of mobilization awareness.  Many people do not know about their rights.  They don't know what to do.  The NRI ‑‑ the Nigeria (?) with many laws, perhaps maybe we will talk more about it.  There is a lot of publicity around multistakeholder engagement to know your right and also watch out for at least for your way your data is handled.  Okay?

But awareness is key.  As you know, the weakest parts of any form of security process is the human part of it.  So we need to do more with capacity development.  Even as we are focusing on sustainability development goal.  Today, $6 trillion is the last measurement for breaches, abuse, what have you.  So citizens need to take it seriously.  Banks as well.  Lose a lot of money.  Take it seriously.  We need to guide our assets.  If it is important, we should be concerned about it.  We should pay more attention.

So let's talk more about it.  Let there be more IGF at the local level.  With that, there would be more awareness, and more citizens will take the data seriously.  So I think the long and short of it is that Government needs to continue to to lead the way and provide support for the NGO like us and NGOs at the local, regional, national, global level.  Thank you.

>> BRAZIL: I would like to propose a discussion with two bullet points.  The first one, regarding the need for minimal transparency standards that should be adopted by all the platforms.

We should take into account that there is an ISO metrics on size, power, policy, the way we look for all the platforms and how the Internet is structured nowadays.

Another topic ‑‑ another thing that we should look for is the capacity ‑‑ how to enhance or foster the capacity contributing users in the skills in literacy on privacy and data protection.  I believe that as it goes, perhaps we could benefit the debate on the next years.

>> AUDIENCE: Good morning, I'm Roberto Sobranaugh, I'm the coordinator for IGF in Bolivia.  We would also like to give our perspective about it in this pragmatic way that you were asking me for.  I think many years ago, the people weren't that scared about protecting their data.  I remember those days when the people got into national office or perhaps an event and they were asked to provide personal information.  They wouldn't matter about it.

But after the GDPR staff and all the discussions about this matter, more people are starting to be aware.  Even this days, these same people, actually, whether they are conscious or not are giving not their personal information and private information through social media, for instance.

And I say that this is ‑‑ this is a problem of how we are really, really conscious of what we are accepting, when we sign for this terms of use of the platforms.

As you know, there are tens of pages to see, you usually don't, because you need to use a platform or social media stuff.  Google Maps, I mean, I don't know ‑‑ I'm sure, many of you have the same experience that I have.  And the first time it was really scary.  I mean, I was going out of a supermarket, and then a message pops up in my telephone that says, how was your experience in the supermarket?  You see?  So the first question was how the platform knows I was in the supermarket?  So the platform knows that I'm any time in anywhere?  Who authorize the platform actually to have this information?

And when these questions are asked then you remember, yes, I remember that someday because I wanted to use Google Maps, I had to accept something.  I don't know what, because I didn't read like a hundred pages.  So I think indeed it is important, this capacity awareness, the capacity building indeed.  It is important to have this awareness.  It is important to provide this kind of education, particularly to the vulnerable members of the community, children, for instance.

They give away activities, they give away pictures through social media and in the wrong hands they can be really dangerous for them.  But the other thing we need to do is try to ‑‑ try to join forces in order for the big companies to start synthesizing, start providing very specific terms in their terms of use that we all really know what we are seeing when we are accepting this.

>> CO‑MODERATOR:  You have asked the word.  I have a question and ask you to complete in your answer.  You make reference ‑‑ you made reference to the French national law that since the year 1978.  And all of us know that you have a very traditional important agency like New.  And we would like to know from your experience, how important is to have a good and active national agency for data protection?

And if you believe that lack Neal does the correct job?

>> FRANCE:  Thank you very much Sebastian.  Once again, to answer your question, I hope that nobody from lack Neal is in the room or will listen to me.  But I think it is ‑‑ first, it is a very good tool to have an independent structure taking care of these matters.  The fact that it came early in France was a good asset for including end user.  But I can say at the same time that the fact that there are both having the advice, take action and eventually to be the legal part, because I can send fine to organization, it is may be a little bit too much broad and separation of power here seems to me, personally, not to be completely achieved here.  But it is good to have them and they help on some of the topics.

The same time, I think it is important that we as user or ‑‑ when I talk about user here, I not talking about individual user as I am representing.  But also business user.  Must have a real voice in this type of organization.  Then it came to this discussion about regulation and the action of the multiactors, multistakeholder activities.  And it is where I think those structure need to evolve to be, to embrace more multistakeholder way of doing things that they are doing today.

Because for example, the discussion about GDPR in Europe where lack Neal was a leading force.  Give long discussion within ICANN on this same type of topic for LDS registration data services that used to be called WEIS.  I would have been happy if they had opened this discussion at the national level also to allow better preparation of what is happening at European level and now worldwide level.

I don't want to jeopardize the time here.  I think France is doing two things to answer your first question.  The first one is to, as I said before, the term and condition as enunciated by a lot of people.  Internet Society France work on trying to have less complex and shorter version of those term of condition to allow people to read the more important part of those document and to be a contractor not to be too much.  The second is ebasty.  The goal is to take GDPR at their word and see what is happening in the platform.  This action today, it is a lawsuit against ‑‑ one of the platform.  And we will see what will happen on that.

I will stop here.  But if you can give me back the speech later on to a level to talk as we bring some key message from the IGF Paris.  Not the IGF in Paris, the global one, but the national one.  I have five message that could be interesting for the group.  Thank you.

>> MODERATOR: Great.  So our last question then, we can just open it up for general questions to the group is are nationally developed standards globally acceptable?  Because I think we have two sides of this equation.  As consumers we want to know we're using a global platform, what information we're giving up, how it is being used.  How is that working from the other side, which is compliance from the companies and ministries working from the data side.  How do we make sure the information they're keeping, we have accountability to what they're collecting and always transparency for the individual user.  Anyone want to comment on how that is going?  Thoughts?  Jimson.  Yes?

>> NIGERIA:  Thank you very much.  This is Jimson A. Perhaps before I go into this, maybe if you allow me, because we talk about user awareness.  Okay?  The basic things that we users can do to ensure that online persons is protected.  For example, with the smartphone like this, you can actually disable your location.  Okay?  Just right here, you can disable your location.  If you disable your location, it will not work.  You cannot see where you are, basically.  So there is some basic things you can do.  Users, they need to be aware of that.  Okay?

Now, talking about the standard, whether the national framework aligns with global standard.  The issue was the global standard.  Do we have an acceptable global standard?  What is the reference?  So far, from what we can glean, that of GDPR has been globally considered and will at least global companies we can reference it and trying to comply.  And also national authorities to using this as reference point as well.  So I can say from what we have seen, the Nigerian data protection regulation, got some endorsement from maybe EU data authorities and some level of handshaking going on right there.  And of course, we do have the African Union data protection regulation or advisory.  That is also a reference.  What it basically is, as I said earlier, the concentration for natural person and legal person.  For the data to be protected and also what is expected of them is quite the same in a way, but is the issue of penalty now that differ.  I think while GDPR is talking about 5% of unit in Nigeria, it is talking about 2% of gross or 10,000 subjects.

Like talking about imprisonment.  Possibility of imprisonment.  And then also a fine about five million shillings.  So those are the only different issues and reflects on the issue of sovereignty, jurisdiction, but I think it would be good for there to be opportunities for this review towards maybe a one framework.  Because as it stands, as this stands, you can't say this is the global framework, no.  But it is good for there to be some form of synchronization in this regard so that data can move on a cross‑border basis.  So that data can ‑‑ data can be Malaysia, and you are confident that the Malaysia data protection takes care of your data.  I think that is where the challenge is now.

For businesses that host maybe data offshore, where it is being hosted does it have good data protection privacy framework?  It is in the business interest, it is in our interest that it is resolved.  It will help business.  To ensure that simple startups can easily really scale up because you can then host your data somewhere where the electricity is stable, where you have good skill set to protect your data.  So with such environment, you can deploy and scale up your business.  To have businesses, if we can put this together.  If there can be acceptable framework.  I think a regional organization would do well to work on this.

EU has done something.  AU has done something to Asia, North America, South America, something can happen.  We're creating opportunities for businesses around the world.  When we do that, prosperity will come to the people, and then we're addressing the development goals.  The more jobs we create, the better for the society and for our expectation.  Thank you.

>> MODERATOR: Thank you.  Any others?

>> AUDIENCE: Thank you.  My name is Adriana, I'm from Brazil.  I'm a lawyer.  As the previous speaker said, the propriety must come to the people.  I believe the platforms may provide this perfectly.  For this development, I'm quite sure that the framework between the countries should be observed.  So whenever we talk about data preservation, data protection, transnational flow of data, then we should think about the due process of law.  So if it is not worth it to say that we have good frameworks and have regulations, but if they're not observed inside their own countries.  And we also should think about how they interconnect between each other.  So this is something that we would think about, make simple laws that they could be easily observed by all the countries.  And going back to the last ‑‑ the previous question about how the citizens may contribute and have digital literacy like Chad said.

Brazil has a project to amend the constitution to include data protection, personal data protection as a fundamental right.  So this is something that will bring a light to all the citizens.  So once data protection is inside the constitution, it becomes the core of the fundamental right, to ensure that its citizens will be more empowered to say, hey, I have to protect my rights, my personal data.  So we believe that with this project, with the constitution, it is going to be very useful for that.  Thank you.

>> CO‑MODERATOR:  I would like to invite you, Lilliana, to say a word.  I heard her speak.  She will introduce herself.  She's from North Macedonia.  She brought an interesting point of view, she explained ‑‑ she will do it ‑‑ that her country doesn't have any specific data protection law.  But they have to comply with the GDPR in a pragmatic way.  I would like you to say a word about this.

>> NORTH MACEDONIA:  I would actually press the button, but thank you for the invite.  Yes, I come from North Macedonia, it is a country from the Western Balkan region.  We're not an EU country member, but we're a signatory partner to the convention 100.08 from Council of Europe, because we are a member of Council of Europe.  We are implementing data protection law act that is harmonized with directive 9546.  But as not part of the EU, we have not harmonized and not implemented GDPR as well.  But what we have is actually a constitutional right of data protection provision, within the constitution and a specific provision within the constitution as privacy of fundamental human rights.

But we don't have a specific privacy law.  It is only a data protection law, where we in the comments of the law, we see the privacy as a result of processing the personal data.  But what we see as a necessity, as I was speaking in the previous panel, although as a country or as a region, we are not EU members, and not GDPR, let's say compliant.  We do find a way, how to actually implement the technical requirements on different levels, either on ITU, platform level or procedural processes level in order to implement standards that are requirements from the GDPR as well.  Why?  Because there is a strong need from as we have seen from the cross‑border cooperation, just to explain in a very practical way.

There is a dental tourism that is developed in the past couple of ‑‑ more than five years, let's say.  This dental tourism brings EU nationals from our neighboring countries, which is Greece and Bulgaria, into my country.  Because dental ‑‑ why dental tourism?  Dentist services are cheaper in my country than in the EU country.  So what happened in the very ‑‑ the towns which are near to the border, became dental clinics.  Yes.  But that enforced one patient from Greece to ask from medical record from the dentist he was going into, because he wanted to make aware to his dental office in his town in Greece.  Which is GDPR right?  Data subject right to be able to get your data your personal data and transfer also the data into another country.

But what happened?  The dental clinic was not aware of this data subject right.  Didn't know what actually they need to do and how to do it in order to give them or not this medical file.  That became an issue.  Then they requested for some help.  Again, we saw this is a challenge and issue because we do not have in place the GDPR as a regulation.  But what we did in the technical requirements, my organization developed some GDPR tools as we say.  Because it is a GDPR right.  It is a diagnose when you don't know for which provision from GDPR you are ill.  Then you can ‑‑ by using technical tools you can have a diagnose what to do in these terms.

So countries that do not have legal frameworks are very important in this finding the most suitable policy level, how to react and to prevent even data protection and privacy as well.

But again, we think that there is a possibility that the technical departments and I.T. specific let's say ‑‑ I.T. experts can really help us into introducing some tools that could really be requirements implementing an enforcement of already existing legal frameworks as it is a GDPR.  So by the time we adopt it in the parliament or the time we became an EU member country, we can technically on a technical level, technical experts can help us in implement and enforce this kind of standards.  Thank you.

>> MODERATOR: Great.  Sebastian, did you have something else you wanted to bring up from your IGF?

>> FRANCE:  Yes.  Thank you very much.  I think part of the message from the IGF in France was ‑‑ could answer your question also.  I will read the five main topic.  It was under the umbrella of platform governance and region behind recommendation and algorithm features.  The first is system regulation of essential platforms.

Second one it studies is establishment on authority of platform regulation.  I guess that is more at the French level.  When we say establishment it could be given to current authority.  It was to have this in mind in the discussion with the authority and with the Government.

The third one is work on strong coordination among the organization involved in Internet governance and its part what you are doing here.  It is important that we follow up on that job.

Four is study the role of Internet users, implement short time dispute procedures in addition to the longer tomorrow intervention in the platform and category regulation fields.

The last one, it is target regulation or governance of processes, information gathering, moderation and publication, rather than regulation on data.  That is five points we bring from the discussion we had in France.

And I want to add that we ‑‑ in the field of ICANN, who is not directly related with that, but as we are working with structure, who we are representing end user, it is a place where we can bring information and at the global level, at the regional level, and of course at the national level, who could be a useful tool to be taking into account in distributing the information about this topic.  Thank you.

>> MODERATOR: Thank you.  Anyone else?  Go ahead, yes.  Identify yourself.  Yeah, you.

>> AUDIENCE: So I will be quite brief.  So I just wanted to add that regarding the discussion on the global standards for data protection, I think something that could be useful in the discussion is to talk, while there is a convention that is starting to become a de facto global convention for data protection which is 108, and the modernized version.  This is more of a de facto international convention.

There is also another document, which is the 2009 Madrid declaration of the international conference of data protection and privacy commissions which is interesting because it reflects maybe a more global perspective because it was not only liberated by member countries of the Council of Europe and all the authorities that are taking part in the global privacy assembly.  Because the ICDP just changed its name.  From this discussion here and the previous discussion this morning on data protection, it does seem that the ‑‑ what is really left to build is really confidence between the different countries and jurisdictions with regards to the protection of personal data and protection of privacy.

So in the future, we'll probably, I guess hear more and more emphasis on the independence of data protection authorities.  Also, there is no more time to talk about this, but I would be curious to hear about national initiatives of collective redress.  Because collective redress is a mechanism that allows to complement the action by the authorities with Civil Society organizations or class actions can also play a role, probably, in all of this discussion on enforcement.

So probably there is Moe more time ‑‑ no more time for collective input on collective redress.  If you want to discuss this on the break, I would be happy to hear your discussion.

>> MODERATOR: Good suggestions.  We are down to 23 seconds.  I know you have done a lot of work this year.  And probably have in the past with the NRI.  As you said, the discussions can continue in the hallway, conversations.  I want to appreciate your time and look forward to seeing you around the hall.

(Concluded)