NRI Collaborative Session: Learning from NRIs

21 December 2017 - A Other on Other in Geneva, Switzerland

Also available in:
Full Session Transcript

>> Ladies and gentlemen, this session will start in about two minutes. 

 

 

>> JAMILA VENTURINI: Good morning.  Thank you for joining us this morning.  This is a collaborative session between IGF Brazil, Panama, and Youth LACIGF.  Feel free to come closer.  The idea is to have a dynamic debate.  We selected three topics reeled to data ‑‑ related to data protection to discuss today.

 

 

I will start immediately so we have enough time for discussion and questions in the end.  My name is Jamila Venturini.  I am part of the Internet stream advisory team.  This workshop, as I said was coordinated by three IGF, Brazil, Panama and Youth LACIGF.  This is to have best practices and topics on data protection.  The first round of intervention will focus on government access to data.  We'll start with Lia Hernandez, who is the executive director of (speaking non‑English language), and represents the Panama IGF.  Thank you for joining us and for help organizing this session.  You have seven minutes. 

 

 

>> LIA HERNANDEZ: Good morning, my name is Lia Hernandez, I am from the organization (speaking non‑English language), and from Panama, we work on the rights.  We work on the data protection, legislation in Panama City.  My organization is working on the interpretation issues.  Panama has that interpretational law, the government of Panama cannot have access to the data, unless there is authorization.  Unlike other countries, where the communications can be accessed by the government for example, the last month, the concept (?) that allowed the government keeping the registers for at least two hours, information of the population in Chile.  In the communication, we have a lot of law that talk about the data access in our legislation.  In Panama, the program can only keep the information or data of the people for only six months.  And after this time, the government council erase all information about us.  Also, currently, there is project in the (?).  This project is about the possibility of register the same of cell phones, because currently in Panama when you buy a cell phone, you don't have to register your name or information about you.  Where currently, locally they allow to the government or communication to the communication companies register some information about the people, the name, address, the I.D. numbers.  It is in the Congress and we're working in our organization to don't allow this law because we think that this law is against mainly constitutional situations in the Panamanians and legislation, in the privacy or that interpretation.  So we don't have a lot of topics of issue with the interpretation.  We don't have a lot of problem that a lot of countries with information as the population.  I think that don't have properly a law about this topic is like a problem for the society.  Because we don't have the solution or the tools to defend our rights.  Thank you. 

 

 

>> JAMILA VENTURINI: Thank you, Lia.  Thank you also for commenting the status of the discussion, the Congress discussion on the data protection law and the different views that are emerging.  I would like now to introduce you to Maryant Fernandez Perez, she will comment on the European challenges to the cross border data. 

 

 

>> MARYANT FERNANDEZ PEREZ: Thank you.  I'm here representing the 35 organizations that also have representation internationally.  When it comes to government access to data, one can talk about different aspects, I was asked to talk about the access to data.  I will make remarks regarding the trends we're seeing in Europe. 

 

 

When we talk about cross border data, we should talk about the evidence.  In terms of the government access to data, the term of e‑Evidence would not be appropriate.  Why?  Because if you ‑‑ just because you access data, it doesn't mean the data will constitute electronic evidence before the Court or even the evidence will be valid before a court.  We should change this discourse and talk about the access to data and electronic evidence.  According to the rules on the protection of privacy, and communication, regardless of the type of personal data, involve the other same protection.  Whatever organization, that is either the European Commission and proposal in January or in the Council of Europe, the discussions that EU should defend the same protection for all types of personal data. 

 

 

Second point I want to make there is a criminal with the technology with the effective criminal investigations.  Of course, there are legitimate concerns, however, the detail area, we're leaving more and more digital traces and therefore information society services create new investigative possibilities as well as obstacles.  This is reflected, for example, in the directive that is called the EU policy directive on data protection. 

 

 

In case some access to content data, for example, is made difficult, the U.N. special Rapporteur clearly stated as revealing of a personal's individual activity as the actual content of a conversation, as a result, it is clear that we live in a golden gage for law enforcement authorities when it comes to collecting information.  The other thing I want to talk about is the MLAT reform versus mechanisms of direct corporation with service providers. 

 

 

We see a trend instead of reforming the assistant treaties, there seems to be an assumption that we have lost hope on reforming it and think that direct corporation will solve all the problems.

 

 

In the case of the commission and the European Union, they outline very important practical solutions such as creating a global and secure portal.  Better training for law enforcement authorities on how to use MLAT simplification and authorization of forms, points of contact, so forth.  These measures are important, but there needs to be a willingness to actually put this into practice.  So from a European rights perspective, we encourage the European Union and any other parties that are considering to update or have a print mark on access to data, that they focus on improving the MLATs.  This starts with the European Union with the case laws, such as the digital rights case, which rules that the data protection was illegal according to ulaw.  This could start with the efficiency and implementation of the current order, including the impacts on fundamental rights.  This could also look at the complementary nature of the EU and national frameworks and coming to the convention, among others.

 

 

We need to ensure cooperation that is unequivocally in line with case law with the European Union.  It is essential to have it pass the Court test.  If we follow the case law, it is despite all the recommendations and constructive criticisms that NGOs like mine and our members have made have not been taken into account.  It has to be subject to litigation to actually ensure that the fundamental rights, concerns we have presented are actually taken on board.  It is important that policymakers take this into account very seriously.  We also should need to advocate against those proposals that lower the standards of human rights.  Such and ensure that no text is adopted that has the luring or sacrificing of the European standard including the privacy protection and due process.  In the case of the Council of Europe discussions, as Lia presented a good example, there are countries that don't have the framework we have in Europe.  The safeguards are more person when we talk about the Council of Europe discussions.

 

 

Finally, a very important point is also transparency.  We need to have all be transparent, inclusive and safeguards.  There is the necessary and important principles for the Council of Europe discussions and this includes principles such as legality, digitalization, prior to making any request for data. 

 

 

Also, criminality and seriousness of the offense.  The principle of necessity, due process, user notification by default, public remedies, public oversight, integration of communication and systems to be respected.  Safeguards for international cooperation, and safeguards against illegitimate access but not limited to those that allow the parties that are faced with government access requests to say actually, your requests, for example, does not comply with your questions in the law so we cannot ask you this.  To find a way to cooperate between the authorities and authorities and companies to make sure our rights and freedoms are not undermined.

 

 

Finally ‑‑ I said finally already ‑‑ but just last remark.  We also see a trend on government hacking in the European Union context instead of talking about it, they're talking about more access or direct access to e‑Evidence without any intermediary.  We think we should be more honest about what we're talking about here.  Government is conducting the activities should be mindful of best practices and set up a full disclosure system and not stockpile for future use.  That is why it seems that we see safeguards are not implemented.  We call for representative on government hacking.

 

 

>> JAMILA VENTURINI: Thank you.  This is a good point for several issues on data.  Thank you for the concerns regarding criminal investigations, also.  I believe there are different types of mechanisms for government to have access to data.  And several countries are facing serious threats, I would say, and attempts to reform legislation to credulous safeguards in place.  Thank you for that.  And thank you for highlighting the recommendations from the European civil society from MLAT reform and other topics.

 

 

We will now move to the segment on data retention.  I will introduce you to Bruno Bioni, the legal advisor on the network information center.  He will bring thoughts from the Brazilian IGF and the data retention in Brazil.

 

 

>> BRUNO BIONI: Good morning, or good afternoon to everyone.  I'm Bruno Bioni, I'm a legal advisor, but I'm speaking in my personal capacity.  Taking the title of the session as a guide, learning from the national and regional IGF initiatives, exchanging experience on the retention, government access to data and data literacy, I will map how one of the talks, data retention has taken place in the seven editions of the Brazilian governance.  Since 2001, it could not be different.  The Brazilian IGF is an arena for issues.  It could be considered a thermometer for the policy debate.  My goal today is to rebuild this along the last seven years, giving (?) into the reports of the Brazilian IGF.  It might be useful for what is the evolution of the stats in Brazil.  And most important, showing that available research source to be explored.  To understand the history of the process and going to exercise at the (?) as an archive for such purpose.  And by doing that, it is possible to have the phases of data protection.  And three different ways to shape the debate in different forms and space.  Respectively polarize and intermediate the more nuance in the redesigned of that.  Gladly, the movement of the resistance of data protection and legal e tension and the legal regime, the thought itself has lost energy in the public debate in Brazil.  That is the point I would like to make here today.  The first wave covers from the first to the third IGF from 2011, 2013 and at that time, there was no legal obligation with regard to that retention in Brazil.  The center of that was if the Brazil Internet view of rights, marks the Internet which is off the Brazilian Congress should adopt or not on that retention.  During this three years from 2011 to 2013, there is strong dimension on the legal rejection at all.  That mass of data collection would not be aligned with the constitutional clause of the presumption of innocence and thereby it would be unconstitutional.  Oversimplified, that was completely polarize the adoption or refusal of the regime.  However, we all know that the final version of the test of this view has adopted the mandatory legal regime. Internet connectors are obliged to keep logs for at least a year, and another for six months.  This is the start point for the stage.

 

 

From 2014 to 2015, which corresponds to the fourth and fifth IGF, it emerged in the intermediary approach.  A part of who was totally against the monitor data regime is partially against the mandatory data retention regime.  The well known decision mentioned here of the European court of validating that has created debate in Brazil.  With the rationality, there should be safeguards to push it and metadata retentions.  For instance, the voice during the IGF have claimed that data access should be granted only by court order issued within the course of criminal investigations and not within the civil proceedings as prescribed.

 

 

Access to metadata should be granted only if there is not other elements and tools.  Said power should be a less resource.  It should be only mandatory for those users.  To establish those safeguards, to strike a balance between the investigators rights and mandatory powers.  The European court of justice should inspire the decrease ‑‑ decree of regulation. 

 

 

Some of the provisions were not enforceable, since they should be (?) and this would be a kind of proportionally regulate metadata.  You know the decree was to shine in doing that, which is to understand since the decrease has a limited home to have the provisioned described in the law and not amend the law itself but at the same time, it would be understandable and even predictable that the (?) of the Internet could be challenged on this particular point.  The first and second wave shows the debate around this issue has emerged and critical in considering the dates in this atmosphere.  I was saying there were solid arguments that could equip judicial actions to challenge the constitutionality of the review, with the regards to that mandatory regime.  This is the last phase of the debate of the review.  Why did it not happen? 

 

 

Three of the WhatsApp blocking case happened right after the remarks of the Internet.  Obviously, there was an outcry in Brazil that has shift during the last two years from 2016, 2017 respectively in the sixth and seventh Brazilian IGF.  The debate was focused more on the protection of the content of communication than the protection of metadata.  And to complete the constitutionality of the review is being challenged.  It does not address the provisions on that retention.  This is the third and current phase on the data protection debate in Brazil, which I will qualify as resigning, in the sense that the issue has lost energy.  There has been a loud silence about this topic in the public debate in general. 

 

 

To summarize, there is a polarized one, intermediate one, and resigning thought on the data retention.  Having that debate, I would like to rise the reflection.  Metadata is a portrait of our personalities and even more revealing than the content of the communication.  They should not have the same protection?  What is interesting about metadata is that it can't lie.  I can't sim ‑‑ can simulate an e‑mail, it can be fake.  The information about where, when I sent that mail, that is information.  Look for the information that takes into account that our lives are very much connected in looking for the future.  Internet of things is coming.  How much information could be revealing about us could be more revealing than the content of our communication.  How we can produce empirical evidence of how much useful has been metadata to persecute cyber crimes.

 

 

Speaking more generally, are the debates of the balancing of rights and investigatory powers advancing.  Would it not be desirable to take steps back to see the historical analysis has for us to the Brazilian perspective?  Surfing the three waves of the data policy would be useful for such purpose.  Should we do the same, not only nationally, but also regionally in order to fit globally the policy debate of balancing the protection of the fundamental rights and investigatory powers.  Basically, those are the reflections that they would make to date.  Thank you for having me. 

 

 

>> JAMILA VENTURINI: Thank you, Bruno.  This was an excellent reflection, I guess, on the issue in Brazil and the data retention.  That is like what Maryant Fernandez Perez said before, when she discussed government hacking.  You made a good point about the shift of the attention to the content and encryption.  Thank you very much.

 

 

We will move to the final discussion on data literacy.  This was a topic suggested by the Youth LACIGF.  I will introduce you to Veronica Aroyo.  A member of the youth observatory, representing the Youth LACIGF and coordinator of the session.  Before giving her the floor, I would like to thank Diego Canabarro.  And then our online moderator today.  Veronica. 

 

 

>> VERONICA AROYO: Thank you, it is a pleasure being here.  Thank you to everyone that is here.  I want to give you the youth perspective of literacy.  If I have time, I will briefly explain some initiatives going on about data literacy in young population. 

 

 

For the first part, I want to talk about the perspectives.  If you don't know what is the Youth LACIGF, it is the IGF for young people in Latin America.  We usually do this event one day before the LACIGF event.  This year, we have our second edition.  These reports are from the 2016 and 2017 sessions. 

 

 

I also use as a resource on the survey I used in the literacy.  I will start with the survey.  Disclaimer, you might know we cannot take all the opinions of all the young people who are living in Latin America, that is not possible.  It gives a great idea on what is happening and what we think about literacy. 

 

 

What is happening in our minds?  When we ask what is data literacy.  People didn't know what is data literacy.  The word is not familiar to us.  However, when we start to see and start to explain, basically, what it means, I mean, this knowledge of data processing and all the empowering of the concept, then they say, yes, I understand this idea, and I think I can be more aware in the future.  We know the idea, even if we don't know the words.  That is one point.

 

 

Second word, how do you know this about data processing?  The answer is well, I work on this issue because a great part of the people who fill out the survey have some kind of relation with Internet issues.  Some say, no, it is because I studied some engineering or some law things and some of them said because of curiosity.  It was good to read a comment and answer saying that they started to take ‑‑ be aware about data and data processing and all the data protection interests because they were hot.  And since they were hot, they started to be more aware of this problem or this opportunity, however you want to call it. 

 

 

We asked the other part of the group why they don't know about data literacy or not taking it into account in the daily life.  The answer was, I think the most easy answer.  They do not read terms and conditions and don't like terms and conditions.  It is too big, it is too difficult to read.  They don't have time to do that.  That is why they don't really care about data things and data privacy and all of these things that we have online.  Some completed saying they're not interested and saying it really does not affect them in any way.

 

 

So when we started in this conversation we asked, so, this is important, right?  We agree on that.  What can we do to improve the situation or get more people involved in knowing what is data processing or data literacy, those things.  They said we can do workshop, do education work.  Who is in charge of this?  Enterprise, those are the ones collecting our data.  Those are the ones.  In the second position they put the government or the state which is good because of what I will say in some minutes.  With this idea, I will try to compare what I got from the reports in the 2016 and 2017 sessions.  The reports reveal kind of the same issue.  First of all, they say here those in the room, maybe we know what is data protection.  We know what does data processing means.  However, people outside the room maybe do not know.  They do not know because they're not too much information outside.  But they're kind of this, I know ‑‑ my friends don't know, but we're kind of, you know, asking if they are selling our data or not.  They're aware that maybe there is transsection or some trade on data.  And they ‑‑ I see the reports, there is always some ideas, some terms and conditions, again.  So this idea appears and they say, well, with the issue of terms and conditions, we do not read terms and conditions, but we're afraid of terms and conditions, we ask why are you afraid of terms and conditions and privacy policies and applications on web pages?  They say after signing those terms and conditions, I may lose all my privacy or I feel like I can lose my privacy.  However, I have to sign the terms and conditions in order to access the service.  And I am pushed to sign this terms and conditions.  There is no way ‑‑ just one way to sign this and get that.  I cannot say no to terms and conditions.  They know, they are afraid, they have to do it, that's a problem.

 

 

When they were asked what can we do if we have this problem, they also rely on education and on transparency.  When they were asked who can be in charge to do this work, and they also rely on enterprises and put into second play, the governments.  They say government needs to push or needs to work with enterprises.  So enterprises can protect our data.  But they don't think ‑‑ I mean, we don't think because I'm on that group, we don't think that governments are also processing data.  That is another point.  We see Facebook, Google, those big enterprising processing data, but not government.  Will this cast in the data literacy?  Those thoughts for me are very important.  I see that there is lots of work to do here.  Because we are in a situation of vulnerability, we are pushed to do several things and the tools are on Internet, but we are not doing privacy analysis or anything because we don't have another alternative.  We need just click on the button, I accept and be there.  That is the point.

 

 

If we don't do this analysis how can we go forward and ask for data literacy things?  There is a lot of work to do in the young population.  I don't know what is the situation in other regions, but in the case of Latin America, there is a lot of work to do

 

 

In this point, what can we do, there are some initiatives.  There is 20 or 25 program ‑‑ or with ISOC, one is Kate Greene from United Kingdom, she's conducting two programs, one is for high school students, the by rights and juries.  They help high school students be part of the fake jury about Internet things.  They discuss privacy.  When you see them watch the videos, I invite you to do that, you will see how deep the concerns are about the privacy. 

 

 

She have another privacy hub, I invite you to watch that and search it on the Internet.  The second initiative in going on is Paula's initiative, from the youth observatory.  She's doing youth initiatives.  Most are on the title digital literacy.  When you see the content, it is data literacy.  And yeah, and also, another resource for you is the research of (speaking non‑English language) and ONG from Chile.  That talks about children perspective on privacy.

 

 

>> JAMILA VENTURINI: Thank you, Veronica, it was great to hear from you about the feeling of power by users and to have the feeling that people are not so comfortable as we might think in sharing so much data with the companies or even the government.  I hope we can hear from Paula during the discussion session.  We will move now to Federica Tortorella who is reporting the IGF Dominican Republic.  She will continue the discussion.  Thank you. 

 

 

>> FEDERICA TORTORELLA: Thank you so much.  I will talk about Dominican Republic perspective about data literacy.  The current practices in this case are very few.  This is a theme in Dominican Republic that needs more discussion.  It is still something new.  We made a survey to collect some data.  It was answered by 66 people.  Many don't know what data literacy is.  The other part of those who answered yes to the question, what do you think data literacy is has a misconception of it.  In our country, data treatment is ruled by the rule 162 published in 2016.  Databases of financial institutions are regulated and supervised by the superintendent of banks.  Others like RALF, and so on, they're not regulated.  There is a lack of awareness about the users or companies do with personal data.  That is a serious ‑‑ which is a very serious issue.  Managing databases, means having a lot of power and it must be ruled to keep them safe and secure.  By the way, Dominican Republic is making effort to solve this problem.  It is working mainly with open government and for example, databases that deals with transparency, especially budgets and cash flow such payrolls must be accessible to everybody.  So they must be applauded in different formats like Excel or ‑‑ uploaded in different forms app ‑‑ formats like Excel or PDF.

 

 

There is a program called (speaking non‑English language) in English called digital republic.  It is helping make the sustainable objections.  It is not sustained because of the budget, key performance indicators to measure advances.  It lacks transparency to affect the follow‑up by society either a public or semiprivate institution that follows its work or impacting society.  Thank you. 

 

 

>> JAMILA VENTURINI: Thank you, Federica Tortorella.  Thank you for bringing the context of the Dominican Republic.  I will give the floor to (?)

 

 

>> PRESENTER: I thank Jamila for inviting us to report and share our efforts to mobilizes Brazilian society to make pressure in parliament to improve data protection law.  As a member of coalition of rights in network and as a representative of Internet steering committee in Brazil, I have supported the civil society in addressing sensitive and fundamental issues for Internet users to the most stakeholder institutional environment Internet governance.  The coalition of rights in the network is a quality organization on fundamental rights, communication and consumer rights advocacy, activists and academics.  It started in June 2015.  And since then has gained relevance in the various debates regarding the use and development of the Internet in Brazil.  Among the various topics considered as priorities by the coalition is the recognition of the strategic importance of approving a personal data protection law in Brazil.  Also Brazil law of the Internet, a law that was enacted in 2014 brings an important reference about data.  It is a principal‑based law, with the final guidelines to the use and development of the Internet and therefore does not provide enough degree of details to regulate the collection, treatment and use of data by enterprises and government.  Further, so far, we have not succeeded in approving a data protection law that reflects the conjunction of forces of the various sectors involved.

 

 

There is a lot of pressure from companies in lowering the data protection.  Moreover, the civil society lacks the importance of the issue, due to false and widespread perception that protecting privacy is not something that is feasible any longer.  Such scenario is negative, since it leaves a sense of vulnerability susceptible to harms derived from the digital environment, a problem that will be worsened by the rise of the Internet of things.  People are generally not aware that personal data is the new way of the world economy and the reform ‑‑ we will promote digital literacy awareness to promote protection of personal data and rights.  People belong that platforms are offered for free.  This is one of the main barriers in engaging and mobilizing user stores as well as raising awareness for the issues.  Some don't know the involvement of the large scale data collection as well as writing infringement, violations of the freedom of expression and freedom of choice.  The vast majority is not able to take measures against abuses in the use of personal data by the private or public sectors.  Serious abuses have been occurring on large scale in Brazil.  In fact, such law has exists for over 20 years in Europe, in Latin America, eight countries have already enacted such rule.

 

 

So in an effort to raise awareness for the issue of personal data protection, the coalition developed the campaign named You Are Your Data launched in October 2017.  The campaign creates different ways through which our personal data is exploited, revealing sensitive information about our lives.  For all these reasons, we urge the international community to support our thoughts in getting data protection law enacted in Brazil.  Such will not only protect us in rights and fighting abuses of democratic safeguards, but also greatly contribute towards the strengthening of international commerce and cooperation.  Thank you very much.

 

 

>> JAMILA VENTURINI: Thank you, Flavia, thank you for showing how it can promote initiatives.  We had several interesting interventions from the panel.  I would like to open now the floor for discussion with you.  We're not many, so I think we will have ‑‑ we will be able to have a nice debate and conversation about the topics that were discussed here.  Does anybody would like to start? 

 

 

>> QUESTION: Thank you, I'm Danielo from Brazil.  I would like the opinion of the panelists about your opinion on the rotation ‑‑ retention, and if retention has to have the same as (?) and having law enforcement with any substantive material to be with and also create problems in the change of communication in Internet at a technical level. 

 

 

>> JAMILA VENTURINI: Thank you, Danielo.  Bruno, would you like to? 

 

 

>> BRUNO BIONI: Yes.  That is a good question.  I would say no.  Basically what I tried do here is the analysis that the same protection that metadata should have as the content has.  Basically I'm wanting to create the same safeguards to have access to those data.  So why not to try to bat and create rights of transparency. 

 

 

In Brazil, there is a duty of transparency, why trapping of the ‑‑ wiretapping of the conversations should have a report on that.  How often were the requests for that.  I think you could do the same with the metadata.  At the end of the day how much is used metadata is used to persecute and fight against cyber crimes.  What I am trying to raise here, at least we should think about the same safeguards and I think you can set up a baseline for this execution. 

 

 

>> JAMILA VENTURINI: Would you also like to comment? 

 

 

>> MARYANT FERNANDEZ PEREZ: In the European framework, all types of data including metadata have the protection.  What we see in Europe is the interesting, and two rulings from the European justice, for the safeguards.  For example, (?) is declared invalid.  Precisely because of the fundamental rights violations.

 

 

If you read, for example, in the ruling, it says a general indiscriminate intervention for crime and other security reasons would not be more at national level than EU level.  It seems to violate just as much the fundamental requirements.  Increase eminent and mass collection is not collected.  A few member states are not abiding by this rule.  There is a report that was published by one of our members at state watch that shows a quite a lot of disparity among member states and they're not abiding by the standards of the Court.  This is obviously very challenging, from everywhere trying to make sure the European Commission takes action.  Unfortunately, they're not showing much willingness to do such things but we have clear case law to indicate certain safeguards and these must be abided by them by all EU member states.  That is the EU situation, obviously.

 

 

>> JAMILA VENTURINI: Would anybody else like to comment on this one?  Do we have another question or comment? 

 

 

>> QUESTION: My name is Peter, I have several things to react on.  I will try to limit myself on three.  First and foremost, I was very happy and glad to participate in this panel and to see all this enthusiasm and energy that you are carrying especially outside of Europe.  Europe is mainly focusing on the daily activities to Europe.  I will explain a little bit later, we have great interest what is happening outside of Europe as well.  Privacy is a universal human right that is global and has to be guaranteed.

 

 

So I am very happy.  Secondly, I would like to draw your attention to one of the jurisprudence which maybe not is not that extensive as the jurisprudence you were referring to in your expose, but it is more historical.  And has established a framework when it comes to the law enforcement access to data and to which the European court ‑‑ the European Union court of justice makes a lot of reference.  This court is the European court of human rights, which is in the body of ‑‑ a part of the organization of Council of Europe.  It clearly stated that the access to data for law enforcement, represents an interference in the individual's privacy.  It is as such can be judged as limited interest for the preservation of peace in public corridor, public security, but it has to business balanced.  This is the keyword, in our sense, balance.  And how you reach this balance.  And the balance we believe can be reached by dialogue.  And you were referring to important activities that European institutions are engaged in.  But as far as Europe is concerned, we remain always open and have been in the past to the dialogue.

 

 

We truly believe it.  Therefore, I really encourage you to continue your work.  Not only continue but make your work public or make your work channelize through those political and legislative initiatives, which is currently going, which are of really great importance.  The Council of Europe, piece of legislation on the drafting of the protocol to the Budapest convention is supported by many governments.  You see we are living in an environment where terrorist attack happens, and data in cyber space can be useful to police.  And you know the favorite example is the accident where all the cyber crime investigation, 45 after the accident took place, the perpetrators could be revealed. 

 

 

However, one of the best place for this work we believe at the consul of Europe, this is 120 governments in the world, including U.S., Canada, Brazil, Argentina, believes we can have this balanced approach, as we have two legal instruments which are open to serve countries.  One is the Budapest convention of cyber crime and one on data protection.  And those ‑‑ in between those conventions, they're a great synergy.  And we take into account each other's point of view and reflection.

 

 

So to cut the long story short.  I am coming from the secretariat of convention one way dealing with data protection.  And we have exactly the same issues in mind, and we assess the same topics that you were referring to, but we have a committee, which comprises 51 member states but several observers, such as NGOs.  We have NGOs at our meeting.  And we are discussing with them on these issues.  So I would really bring or raise the awareness much the possibility that of course, there are certain criteria to qualify to come to the meetings, but I can give more information on that if you are interested.  But we have, like Edward, Marion, we have members with whom we are in constant or regular, at least dialogue. 

 

 

So I would stop here.  The work has already been started.  It will be very interesting work, but be sure that we at consol of Europe, we want to do it in a balanced way.  Thank you. 

 

 

>> JAMILA VENTURINI: Thank you.  Thank you very much for your intervention and comments.  The idea of the panel was to establish this type of connections and dialogue.  I don't know if any of you would like to comment on some specific point? 

 

 

>> PANELIST: I want to highlight that CGRI is a space to treat about cooperation and research and other issues about data protection.  The different systems of data protection, in order words, in Europe especially, then our door is open.  And I think it is a good initiative if we can talk about and make changes.  That's it.  Thank you. 

 

 

>> JAMILA VENTURINI: Thank you.  Perfect.  Maryant Fernandez Perez? 

 

 

>> MARYANT FERNANDEZ PEREZ: Yeah, absolutely.  Thanks so much, Peter, for making that comment.  I think it is fundamental that civil society, not only in Europe, but across the globe engage.  We have heard that there is not much awareness, and I believe even within some countries that could potentially sign the protocol could here from all the divisions.  If you look at our website, there is a submission that we sent to the Council of Europe, signed by 14NGOs, this is also from Latin America.  (Speaking non‑English language) but we think we should work more together.

 

 

With regard to the balance to be achieved, absolutely, that is what we aim for that is why we call the civil society to be included but units like yours to be involved in the discussions, this is not done in the way we would like to, but the data protection Council of Europe, and the Council of Europe's commission for human rights the parliamentary assembly of Council of Europe and any other actors relevant to the discussion.

 

 

Another point to make with regards to the combination of the convention 108 and cybercrime convention, we think that is essential.  We would have loved for having the requirement if you are a country and want to sign and ratify the convention on cybercrime you had to sign and rat fight the convention 108.  That is not the case.  The most example is the United States.  We see that this needs to be ‑‑ the two conventions need to go hand by hand.  Otherwise, we have a strong demands and concerns that I responded to on cybercrime.  Obviously, the protection is not the only safeguard, but it is important that it is the framework of the countries that could adhere to this.

 

 

>> JAMILA VENTURINI: Thanks, you made a great point.  Bruno? 

 

 

>> BRUNO BIONI: Quickly.  Brazil has no comprehension in the loss, it is not possible to adhere to that without this personal data protection authority.  I think the correct place for Brazil to have the comprehensive protection to work with the consul of Europe, and after then, the convention of Budapest.  I think this space would be, a kind of effort of balancing those competing interests and rights. 

 

 

One thing that counsel for Europe is a key player and also the convention with regards to personnel protection, because there is a specific provision with regards corporation between the countries and mainly between the protection of authorities.  And I think at the end of the day, the problem around personal data protection comes when we try to enforce the guaranties and rights.  If you can establish this kind of mutual information.  That was done before between the Dutch, that is a leading case. 

 

 

If you have a broad corporation pushing by the convention of the Council of Europe, that would be the ideal scenario, definitely. 

 

 

>> JAMILA VENTURINI: Thank you, Bruno.  I would like to know if we have ‑‑ (speaking non‑English language) sorry.  I will give the word to Lia and then to you again.

 

 

>> LIA HERNANDEZ: I want to say something to Peter, Panama was the first country not to join the Budapest convention.  One of the main problem is we don't have a lot of protection law on the government ‑‑ it is not ‑‑ not a lot of knowledge about this topic.  First time, last October, the government call for NGO on the other organizations in Panama to come help them to implement, write a perfect or better law because it was a big problem in Panama.  The counsel of Europe ‑‑ Council of Europe was helping the government to finally implement this convention. 

 

 

>> I think from the political perspective, for the public debate, I think the Council of Europe could raise the voice in that sense.  Because the political agenda in Brazil is not so much stable.  If you have some kind of support coming from international organizations, such as Council of Europe, that is important not only for guaranteeing fundamental rights, but also to boost the economic growing.  That is very useful for us, at least from our perspective of our political agenda. 

 

 

>> JAMILA VENTURINI: Thank you.  I would let Peter answer in two minutes, and then I will give you opportunity. 

 

 

>> PETER: Two minutes to respond.  Yes, to certain extent, I agree with a lot of things you said, but you also have to be ‑‑ also have to see that the first jousting plenary of the ‑‑ those that participated welcomed the global submission.  You saw it in the front of the meeting.  So that is ‑‑ I think that is hope for further discussion on this.

 

 

Brazil and Panama, we are doing it, we are in constant relation with Brazil government and stakeholders and Panama, we are promoting convention for those countries.  You have to understand and I think you understand that for a national state for a country, there is a political decision to install the data protection, which will have repercussion in different area.  It has to have ‑‑ it has to be a political consensus within the country, and then after we can help in several ways, giving information and engaging in activities, we are doing it.  Especially in Brazil since long time.  And we are pursuing it as we have Argentina and Mexico has been invited to exceed convention 108.  Those states also have Latin America doing it.  It is not easy.  But that is one thing.

 

 

The other thing, it is not only ‑‑ the consul of Europe is not only giving space to intergovernmental relations but NGO as well.  We have NGO in our main thing, that is important.  If you are sending us papers, we are reading them and try to include them in our work.  Thanks. 

 

 

>> JAMILA VENTURINI: Thank you.  I think we have another question or comment here.

 

 

>> QUESTION: Thank you it is more a comment or invitation ‑‑ intervention and invitation.  My name is Cecil Cammar, I work with a civil society organization.  I'm sorry I couldn't be here earlier to hear the panelists speak on this issue.  But I just wanted to highlight an opportunity ‑‑ an upcoming opportunity which is the international conference of data protection commissioners, which is the only convening of data protection authorities in the world on this issue.  And next year, with the conference being hosted in brussels, it offers a good opportunity for civil society groups to engage.  There are a group of civil society groups that have engaged and we're keen to open this up and ensure that as many civil society groups from across the world can engage in the upcoming conference in 2018.  The outcomes are nonbinding but offers the opportunity for norm building and to engage in data protection privacy and data protection.  It is ongoing.  This is particularly a shoutout to the civil society stakeholders in this session.  If you are interested in some of the upcoming opportunities, come and talk to me.  And I can also share with you some printed guides to the ICDPPC which outline how it works and how you can engage in civil society.  I wanted to put that out there as an opportunity to engage in this issue at the global level.  Thank you.

 

 

>> JAMILA VENTURINI: Thank you very much.  I would like to ask the remote moderators if we have any questions? 

 

 

>> DIEGO CANABARRO: I received from another channel.  The remote moderator.  Let me read it.  It is good because participation was national, so it is a good time to put this.  Diego is asking ‑‑ I'm sorry.  Not that one.  Oh, yes.  This one.  Considering that data retention has several economic and civil society influence public policies, what is the common approach to enable the participation of civil society and policy processes.

 

 

>> JAMILA VENTURINI: Excellent.  Very appropriate.  Does anyone want to comment?  Yes?  Veronica. 

 

 

>> VERONICA AROYO: That is another difficult one for everyone.  I was mentioning before, we have the same thing with data literacy, that is happening with data retention.  If we are going to tackle this issue and want society to participate on the process where we decide things, or where the government decides things or implement some laws, that is not ‑‑ one of the basic laws we have to do is put the data retention in easy words.  This is from our data literacy perspective.  But I think that that is one of the points.  I don't know if that helps you understand.

 

 

>> ATTENDEE: It probably helps, Diego asking the question.

 

 

>> MODERATOR: I don't know if we have other questions here.  The participants can give final remarks.  Anyone want to make a question or comment?  Lia, would you like to start? 

 

 

>> LIA HERNANDEZ: In the organization, we are working on the report and data protection in our countries.  Several are interpreting the Budapest organization.  And other interesting topic in this room, to read about that in Latin America in Mexico, Panama, Chile.  Maybe the report will be online, in March, depends.  So just commercial for that. 

 

 

>> PANELIST: Thank you to Jamila for the moderation and everyone sharing.  Final remarks, it is interesting to know that the European Union has repercussions across the globe.  We are trying to make the point in brussels that is not just important to have it in law but also to know that other countries are looking. 

 

 

Another point that is something to take home is that enforceability is very important.  For the fact that there must be a framework or rules doesn't mean that data protection is enforced.  That is a first step at the end of the conversation.  The third point is we need evidence‑based policymaking.  This is very key.  With regard to data literacy, that is very important.  We have developed an initiative called your guide to digital defenders, so it is a booklet for kids, but also for young people to teach basics about privacy.  We would love to have more cooperation with the NGOs on that.  Another take home, we need to move from vulnerability to empowerment.  We think that there is nothing to fear in the future if we have strong protection for our rights and strong defense of our rights from all parties.  We think that we're stronger if we work together, and definitely that is not limit, to the coalition of NGOs that people report, but across the globe in regions.  We're happy this session is taking place.  That shows that numerous opportunities can take place. 

 

 

>> PANELIST: Thank you, again.  I would like to highlight the political importance of the data protection, especially now that in Brazil, we will hold presidential election in 2018.  And the electoral campaign raises several concerns such as that related to opposite views of personal data.  And the spread of false information. 

 

 

Thus working on digital literacy is one of our priorities as well as educating the population of the potential democratic harms related to the measures of personal data.  That's all.  Thank you. 

 

 

>> JAMILA VENTURINI: Flavia and Bruno? 

 

 

>> BRUNO BIONI: The question presented by Diego, I think you can pull up some parallels, at least from the present perspective, if civil society wasn't that strong, to provide safeguards in the test of that review.  It was a dispute that the civil society and also academia has lost.  When Juma was approving that, there was requests to reject that on data protection.  Right now, we don't have empirical evidence to know better how being useful of those investigatory powers to persecute and investigate those kind of crimes. 

 

 

And if you can create a baseline, you know, evidence policymaking on that then we are more able to move forward and for instance, the public debate on cryptography.  In a sense that sometimes we are thinking that you are continuing a scheme.  But in fact you know the facts.  In balancing the fundamental rights, I say globally we have the debate and discuss the retention regime in a sense that you should push the agenda to provide more concrete safeguards and at the end of the day, the keyword of balancing the fundamental rights against investigatory powers.  I think it would be much more clear how it is going this policy agenda in general.

 

 

Basically, what I have tried to do here, using the Brazilian experience and debate was to map this debate to make clear the device.  Use what you use in the past and reuse the arguments that were made there.  To now, I think the debate of the cryptography, if you should put back doors, put a weakness on cryptography could be made if you are much more aware of how much is being useful.  Data retention metadata in general to persecute cyber crimes.  I will say that. 

 

 

>> JAMILA VENTURINI: Thank you Bruno.  Veronica? 

 

 

>> VERONICA AROYO: I want to thank you everyone here on the panel, because I really appreciate all the knowledge and all this ideas on data and data retention.  Because as it was mentioned before, Latin America will have electoral processes, 2018 and 2019.  Yeah, it is pretty amazing.  What I want to talk about data literacy, my final thoughts are that we should ask policymakers to work on data literacy and have it on their agenda.  Why?  Because I agree with Maryant Fernandez Perez that we need to eliminate the fire that young generation has right now and to secure the Internet and rights can be protected.  You can navigate safer on Internet and you know that there is no harm there. 

 

 

Because data literacy is not just knowledge about your data protection and data and what people do with your data and what companies do with your data, it is also to empower you to participate on policy decision processes and to be part of that as that.  It is another step, not just the knowledge, but the other step is to take actions.  If we are talking in the perspective of young people, this is very important because now we are users, but one day we're going to be there sitting taking decisions.  So I think step‑by‑step, we can have that.  Thank you.  That's all. 

 

 

>> JAMILA VENTURINI:  Thank you, very much, Veronica.  Do you want to follow up? 

 

 

>> PANELIST: It was interesting to share with you our opinions, mainly in Dominican Republic, there are challenges, and other areas, too, to have the laws needed for data protection and keep awareness about data literacy.  The users must know how do the information are used and data are used because this is a power that institutions and organizations have.  And there is final users.  I have the right to know what to they do with that.  That institutions or companies or whatever have to know how to work with transparency to work with that.  I will thank you, again, Alm ‑‑ all of you.  I think these sessions are not only to speak about what is happening in our country, but also we learn more about what the tenets, the trends all over the world.  Thank you. 

 

 

>> JAMILA VENTURINI: Thank you, Federica Tortorella.  Thank you for joining us in this session, one of the last IGF sessions.  Thank you for surviving to here.  Let's continue the dialogue in a more informal way now.  Thank you very much for coming. 

 

 

(Applause)

 

 

(session concluded 1:25 p.m. CET)