The following are the outputs of the captioning taken during an IGF intervention. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid, but should not be treated as an authoritative record.
***
>> MODERATOR: Are we on? Okay. Good morning, everyone. Hope you can hear me. I can hear myself in this thing, so, hello? Okay. Just microphone check.
>> Testing. Can you hear me, because I can hear you.
>> Yes, I can hear you, Robyn. Great! Everybody around the room, if you don't have a headset, please pick one up. Otherwise, you won't be able on channel 1 otherwise, you won't be able to hear us and you won't be able to hear our speakers online. Okay, check, check. Everybody can hear me. Channel 1, yeah. There we go. Good. All right.
So, welcome, everyone! Thank you for starting your morning with us. This is, if you're wondering if you are in the right room, this is Workshop number 102 on Harmonizing Approaches for Data Free Flows with Trust. And I might ask if we maybe can close the door? Yeah, thank you.
All right. So, why are we here discussing this topic today? We know that data, and we have talked so much about data, we know that data underpins every aspect of today's global economy, supports everything from day to day business operations to the delivery of essential government services, and it enables international and multilateral cooperation. But we know that despite this core role data has in facilitating economic activity and innovation, there is continued mistrust in data and data powered technologies.
Some of this mistrust stems from the difficulty of understanding data, its nature, its consequences, and the level of risk of its handling. Trust is also eroded by concerns that national public policy objectives, such as security, privacy, or economic safety, could be compromised if data transcends borders. This increasingly fuels restrictive data governance policies and regulatory measures, such as digital protectionism and data localization. Such approaches deepen Internet fragmentation, disaggregate information that actually would underpin the broad range of socioeconomic activities and cybersecurity protection.
So, with growth and development driven by data flows and additional technologies, disruptions in cross border data flows have broad reverberations that can lead to issues like reduced GDP gains and adverse impacts on local digital ecosystems. So, it is important that we talk about trust in data. It's important that we talk about how we build policy frameworks that actually facilitate the handling, sharing, and access of data in a way that we use it for its potential for developmental gapes and try and avoid some of these fragmentation effects of inept policies.
So what we try and do here in this session is try and take stock a little bit of the various regional, international initiatives that try to deal with data governance and try and see whether or not we can move towards some commonality between these, if we can find some ways in talking about data governance that leads to more harmonized, or at least interoperable approaches to handling data so we don't fragment the policy space around it, and with that, we don't fragment access to the benefits of data.
So, to help me have this conversation, I'm actually in a very interesting position because I don't have to answer these very difficult questions; I just have to ask the questions, and we have the experts here that will talk to me and help me answer these questions together.
So, we have experts, both here in person and online, and I'm very happy to see everybody managed to connect. We have, in the order of which I will be calling them to speak, Mr. Bertrand de La Chapelle, who is Chief Vision Officer at the Datasphere Initiative, Ms. Maiko Meguro, Director of data strategy at the digital agency online. And we have David Pendle with security at Microsoft, also online, in the middle of the night. Thank you, Dave.
We have Ms. Robyn Greene here in front of me at the table, Director of Privacy and Public Policy at Meta. And last but not least, also comes Clarisse Girot, who is Head of Division for Data Flows and Governance and Privacy at the OECD. Thank you for joining us, Clarisse. It's also quite early in Europe, in the morning.
So, to jump right in, we'll talk a little bit, first on why is it important that we talk about data, and to discuss a little bit the added value of data and give some nuance to the perceptions around what we actually mean around data and the conditions that enable cross border data flows for the global economy. So, Bertrand, if I can turn to you first to share some initial insights.
>> BERTRAND DE LA CHAPELLE: Thank you. Good morning, everyone. I like the fact that you mentioned it's important to talk about data, because as you know, this was the title of a report that we produced with the Executive Director of the Datasphere Initiative, and the title was, we need to talk about data: Framing the debate between free flow of data and data sovereignty.
And the way we handled the question of creating the maximum value for everyone out of data is a constant challenge. I want to highlight first that when we talk about fragmentation, it is not a risk. It is a reality. The legal landscape is fragmented, because we have 190 countries, and they all have different laws. On the other hand, the technical infrastructure of the Internet is, by default, free flow of data, and it's the tension between the two that we have, in most cases, have to address.
The second thing is, we have a tendency when we talk about data to think in terms of sharing of data, and a lot of people have sort of an image that dates back to older times where you are using a database and you share this database and you basically transfer this database. This is not the way it works anymore.
The way it works today is through API, is through right of access to data. So, many times, the data doesn't travel, really. It is just that you query it from another distant place. And even more, there are new techniques called privacy enhancing techniques, and some people consider that they should be called partnership enhancing techniques, such as an moveric encryption or federated learning, that allow to leverage existing data without necessarily having to share this data, because you can do computation on encrypted data or you can do distributed learning for an AI system. So, the landscape is changing.
And I was impressed by the fact that in a panel yesterday, Yoichi Ida from Japan was answering to a question that I was raising, highlighting that the notion of data free flow with trust is a high level concept that is useful to drive the discussion at an international level, to establish the fact that, as a principle, we should aim for the maximum capacity to share access to data.
And the final point because we can come back to a few other things we have a tendency regarding data to think in a very binary perspective. Either data is not accessible for sometimes very legitimate reasons, for data security, for privacy, or confidentiality in general, and so, it is okay that this data is not shared. On the other hand, there is a trend, very positive, towards commons, open data, making data widely available so that people can actually build things out of this.
But what I want to highlight is that, too often, we look at this as just a binary alternative, and we lose the fact that, in between, there are situations where you cannot go to the full open data, but at the same time, enable some access and some leverage of existing data that has protections for legitimate reasons, but where this data can be made accessible. And in that regard, in this decade to me of closed data and open data, what the data free initiative is pushing that we have a common objective and we should have, collectively, a common objective, which is to responsibly unlock data for all. It doesn't mean that data is available for absolutely everybody. It can be for limited groups of actors, but it is important that we share the objective of creating social as much as economic value from data, because there's a tendency to think over in terms of monetizing data, and there is a lot of possibilities to create social value. And most importantly, there is a question of having a more equitable digital society, because today, the data economy is, because of network effects, because of the fact that this resource is non rivaled, there are mechanisms that increase disparities and that make the distribution of the value not sufficiently spread and equitable. So, these are a few of the ideas that I wanted to share to reframe, or frame this.
>> MODERATOR: Thank you so much, Bertrand. And you've mentioned also that we already had discussions with colleagues from Japan. So, returning quickly to Japan, from Japan, to Ms. Maiko Meguro. But you also mentioned the role of data for various purposes, for both economic, social development, and other ones. So, I think the question is right to ask for Ms. Meguro, how do you see this from a national perspective, from a government perspective, especially sitting where you are, in your role with the digital agency.
>> MAIKO MEGURO: Okay, thank you. Okay, first of all, good morning and a good evening, colleagues, and thank you for the opportunity to speak about this important topic.
So, as Bertrand just spoke, the issue of data flow is basically (?) but also perception. I basically argue with that opinion. And obviously, as Bertrand also mentioned, it started as a high level concept, and this concept's rule is exactly the point to shape people's perception through the concept of trust, namely, to pull everybody out of the silos of sectors and, of course, integrate as a matter of data governance.
So, when I first started working on this topic of DFFT, which was in 2021, the data is basically the oil of the 21st century, was very popular. But the image of data that this metaphor actually presents is a very one sided, well, I would say trade centric view of the data governance. So, discussion of data governance, from our perspective, must take into account the multifaceted nature of the subject of concept of data.
For example, personal information, personal data is obviously the human right, but at the same time, it also has economic value, as recognised by the antitrust authorities of main countries.
As digitalization and data progresses, it will be possible to check probably the implementation status of various labor or environmental regulation in all across the supply chain, or even across borders, but the data in companies' protection lanes, which are also related to the implementation, is also highly confidential corporate secret.
So, there has been concrete cases of conflict in the past in this type of discussion, such as between investment agreements and integration in various countries, but the problem with cross border data transfer is such data conflict will alter on a permanent basis, thus leaving the matter to ex post responses, such as individual disparate resolutions or court cases could lead to a market environment that favours and entitles, even, for those people who can take the risk of dispute, such as a large company with a lot of financial and human capital. So, from our perspective, we must think about the effective means of having both enhancing flow, but also necessary protection according to rights and interests attached to the data.
But the necessity of cross border data transfer of course is clear. We have shifted from a hardware base to a software system based social economy on digitalization, obviously, as the moderator just set out, it has become relevant to all parts of societies, but from our perspective, from the government, then this means that the way monies are exchanged, but also the places where the social problems (?) also have begun to change, and these matters also concerns distribution of rights and benefits related to data ownership and accesses.
So, basically, I must also mind that because of this impact of digitalization and what data can do, many governmental authorities, posed by the use of data and digital technology, and this could also lead to the series of introduction of the regulation, for example, to almost, to banning, like, transfer of data outside the country by foreign companies.
But it is important to also remember that many countries are unable to procure the data enough to sustain their own economy innovation within their own borders. So, this is the real needs that we have to have the cross border data flows as a matter of reality. So, therefore, if the country only focuses on restricting the cross border transfer of data in thinking of data governance, their company will not be able to use the data collected from the other country in turn, so data governance must be always considered from the perspective, both maximizing the utilization and data protection security.
But lastly, I must say that the question on how to combine the needs of protection and how you want to use the data depends on the social priorities, cultures, even religions, or economic structure of each society and government in principle, so it should not be discussed based on, like, international single rules or values. So, this is our perspective that we, the government, could perhaps start from the working certain arbitrary treatment, like arbitrary treatment or lack of transparency, or perhaps we could work on the concrete solution of interoperability, like technologies, or lowering the (?). So, what is more the institutionalizing these processes, where relevant actors, both government and non government, engage with the issue is very important, which I could also touch upon later, but for now, that's all from me. Thank you.
>> MODERATOR: Thank you very much, Ms. Meguro. I'm going to turn right into comments from Dave online, because we've mentioned this dichotomy between how certain governments or certain regions approach data flows. And I would like to explore a little bit more of what those concerns are that fuel some of those restrictive policies that you've mentioned. So, Dave, if you could enlighten us about that little bit.
>> DAVID PENDLE: Yeah, thanks and good morning, everyone. My name is Dave Pendle, I'm Stint General Counsel at Microsoft. I work on the national security team, which is the team at Microsoft that responds to government requests for user data from around the world. And certainly, government access requests is kind of one source of the mistrust in data flows, but I'm hoping to kind of up level it a little bit and talk more broadly about some of the other concerns and what they may be rooted in. And for many in this room and who are listening, this is probably not very necessarily news or insightful, but I think it's kind of interesting to look at these restrictions as being driven by different sides of kind of the same sovereignty coin, and sovereignty does seem to be kind of a major driver of the loss of trust.
And the way I see it is that sovereignty can kind of serve as both a sword and a shield, kind of pushing contradictory trends. First, you know, clearly, governments have a sovereign obligation to protect their citizens and to protect their national security, and that sovereign interest has led to an expansion in surveillance authorities. And certainly, governments around the world have exercised, increasingly, assertive authority to address public safety and national security needs.
You also see this come up in terms of fears of governments expressing fears about going dark and the need to kind of pass encryption detections in place. You also see this where governments are seeking authority to access cross border data. And certainly, if a government is, you know, it's investigating cybercrime or child exploitation, because data is global generally, data outside of their borders may be relevant to really important public safety matters within their borders. So, that's somewhat understandable.
And indeed, the U.S. Government has often pointed to the Cloud Act, allows for the U.S. Government to seek data outside of its borders, but that is not unique by any means. In fact, that same principle's reflected in the Budapest Convention and in the OECD Trusted Government Access Principles. It's reflected in the evidence sharing regulations that are going to into effect in a couple years in the EU, where the obligations exist regardless of where the data's stored.
The other side of that sovereignty coin, the shield, if you allow me to use this kind of metaphor. The sovereign interest in the fears of like third party access to data generally have led to these walls being erected, walls trying to contain data within nations' borders through privacy laws, through trade restrictions. We've certainly seen lots of mandatory data localization efforts, limitations on the use of global technology, the fragmentation of the Internet generally, are all in this vain.
We often hear concerns about, you know, potentially U.S. Government access to data, but even here in the U.S., there are concerns about third countries accessing sensitive data of Americans and U.S. persons in the U.S. Government. China's often discussed in that vein.
So, around the world, we see these kinds of concerns materialize through requirements for sovereign controls, through requirements or interests in end to end encryption in a variety of transfer restrictions, and these, you know, again, these restrictions kind of serve as that shield to the fear of government access.
I can't speak to the legitimacy or the actuality of all of these concerns, but in my world, I can speak to concerns about government access. And I would say that there is always some, like, myth busting that needs to take place when discussing government access, and specifically, cross border government access. You know, we report on cross border data disclosures every six months. We get about 60,000 legal demands from governments all over the world for about 110,000, 120,000 different users each year, in a six month period, so you're talking about like 30,000 legal demands. You know, we typically get about 50 to 55 content disclosures that are cross border. In the last reporting period, there was only one that pertained to in enterprise customers, so the majority of those are consumer users.
For the EU folks in the room, or elsewhere, that one enterprise customer is not an EU enterprise, so like the concerns that we hear about the perception that if U.S. technology companies are subject to U.S. law and are handing over the world's data to the U.S. Government, it doesn't really, you know, bear out, if you look at the actual numbers.
One other kind of distinct factor here is competition. And there is this also sovereign interest, of course, in creating space for domestic technology and innovation. That's also been a driver of some of these restrictions. So, that's not an exhaustive list, but there are some themes there about some of the restrictions that we see and causes for fragmentation.
>> MODERATOR: Thank you very much, Dave. Thank you. Thank you. And listening to you, I'm reminded about what Bertrand said in the beginning, that this risk of fragmenting the space because of the lack of trust in data, it's no longer a risk; it is the reality, and there are a lot of causes for that, as we heard from you.
But I'd like to turn to Robyn to see. So, we heard from Dave the causes. What are the consequences of such an approach to data?
>> ROBYN GREENE: Thank you, and thank you for having me here to speak, and thank you to everyone for coming. My name is Robyn Greene. I'm a privacy and public policy director for Meta. And like Dave, while I don't work on the legal team, I work on the policy team. I do work on law enforcement and government access issues and anything to do with Internet fragmentation. And I just, I don't think there is a conversation on Internet fragmentation more important than one on data flows and the implications of restricting data flows.
With that in mind, I'm going to just start with a very brief overview of the kinds of impediments to data flows that we see, because we sort of skipped over that little bit, and not everybody really sort of understands the different ways that these kinds of restrictions manifest. And so, just very briefly, we can see them most often in either expressed data localization requirements that are requiring that data be stored in a specific jurisdiction. Those requirements can be very prescriptive and not allow data to transfer outside of the jurisdiction under any circumstance, or they may be somewhat more flexible and allow copies of the data to transfer outside of the jurisdictions.
In addition to that, we see de facto localization, which is oftentimes where you have regulatory benchmarks, if you will, that you have to meet, in order to be able to transfer data out of the jurisdiction. And oftentimes, those benchmarks are out of the private sector's hands because they are, of course, the purview of the governments that the private sector entities are subject to or simply unattainable for other reasons. And oftentimes, those reasons are because we are blurring the distinction between the types of data transfers that actually occur.
And so, one of the things, when I was in particular listening to Bertrand's wonderful comments, was just sort of noticing how we really talk only about the idea around data transfers being from one legal entity to another third party in a different jurisdiction, and it's very natural to think of it that way, right, especially when you consider how we have really started to consider this debate in the context of GDPR and things like that.
But one of the trends that we're seeing increasingly is actually the regulation and restriction of the physical movement of data, so the idea that even if you are not transferring data between legal entities, that you still cannot move data outside of the jurisdiction where it was created. And for providers, such as Meta, and the kinds of services that we offer, but also for the sorts of providers that do business to business kinds of services, the implications of these kinds of restrictions are really dramatic, but they have the same kinds of implications as the kinds of restrictions when you're talking about, you know, restricting third party you know, transfers to third party entities abroad. The difference is just in that case you're talking about only some data transfers. In the case of the physical movement of data around the Internet, because of how the Internet's built, the interoperable and international way that it was built, it is literally not built in a way that is technically able to restrict the flow of data across borders when you're not changing hands between legal entities.
Domestic communications can often go to international switch points, for example, in order to get back to the recipient. And so, we deal with these kinds of international data flows in a lot of different contexts, not just in the context of transferring data from one legal entity to another legal entity based in another jurisdiction.
And so, when we think of the risks of this, I think the first and foremost risk is generally of Internet fragmentation. And what that means is, essentially, building walls around our Internets, right? Instead of having one global, interon interoperable Internet, it is to have regional silos. And the implications of that are really significant and really hard to estimate in terms of like how severe they can be. And this is in part because when you think about how people interact with the Internet, there is just so much access to information, there is so much learning, there is so much economic development, there's so much connection between different people and different communities. And so, putting up those silos would have a really dramatic impact on cultural, social, and economic norms and the threads that bind us across nations. I mean, when we we think about what we're all doing here and trying to find multilateral approaches to governance Internet fragmentation I think is one of the gravest threats that we see to the goals that we all have here at IGF.
And so, when you think about what is the primary driver of Internet fragmentation, it's the restriction of data flows. In addition to that, though, as I mentioned, when you restrict data flows, it has really significant, chilling consequences for economic development and innovation. You know, as we are learning from Maiko, at the end of the day, we are a data driven economy. Innovation is data driven. And so, we need to make sure that we're able to access data from all over the world, in order to be able to build new technologies, in order to improve existing technologies and grow our economies as a result.
Additionally, human rights have really significant deleterious effects, when you wind up doing restrictions on data transfers. This results in not only restrictions on freedom of expression, access to information, economic rights because, of course, economic rights are fundamental human rights as well and are now reliant on access to the Internet and access to information but also, you know, rights around safety and things like that. And so, we see a really, really significant range of human rights harms result from Internet fragmentation and privacy harms as well. Because ultimately, when you are looking at restricting data flows, the result of that is data localization. And one of the major results of data localization is undermining cybersecurity. When you can't access data and you can't have global visibility of what the sort of data environment is, it's much, much harder to be able to identify and quickly respond to cybersecurity threats, and that's true whether you are a provider of services to consumers or a business to business provider. This is across the board. If you're a financial services provider, if you're a Facebook or Instagram, or if you're a cloud services provider, or really, anything else, the number one thing you need to be able to secure your network is visibility, or whoever you've hired to secure your network, the number one thing they need is visibility of what that global threat landscape looks like. Restricting data flows undermines that, and that has really significant consequences, not only for cybersecurity in the sense of, like, what does that mean for our businesses, right, and the integrity of our data, but for national security as well. Because ultimately, cybersecurity is a national security issue. It's tied to the security of critical infrastructure. And when we interfere with the cross border flow of data, we interfere with our ability to protect those kinds of critical infrastructure as well. Thank you.
>> MODERATOR: Thank you so much, Robyn. That was quite a comprehensive list, and I'm sure that there is more, but thank you for highlighting the main important ones.
I would like to turn to Clarisse and ask you, from the role that you are sitting at OECD, who works with countries in very different jurisdictions, what is the progress that you have seen on this? Because we've been talking about the risks of this for quite some time now. Is the idea, this high level concept, DFFT, of trying to move us away from silos and trying to get a framework we can all agree on, is this gaining traction? Are we moving towards some more harmonized policies on data? And you know, what is the OECD's perspective on this? How do you see this work from your perspective?
>> CLARISSE GIROT: Thank you, and hi, everybody. Good morning, good afternoon, wherever you are. Thanks very much for having me. I mean, it is very hard to come last, because of course, a lot has already been said, so let me build a bit on what the other speakers have been, you know, have said, and your specific questions.
At the OECD, we've been working on cross border data flows for a very, very long time. If you may recall the privacy guidelines of the OECD date back to 1980. And of course, you know, things were very different back then, but still, the principles that you had to balance cross border data flows with the privacy and fundamental human rights of individuals while enabling growth, innovation, et cetera, et cetera, was already there. So, frankly, in terms of philosophy, not being fundamentally new. And in a way, DFFT is nothing new either, in many ways
The power of the concept of DFFT is, first of all, it was developed at a time when the Internet economy was completely different, you know, and we could see that there was a political, geopolitical need, to sort of conceptualize a narrative around the significance of cross border data flows for global leaders, and not only for technicians, if you will, of data protection laws, and a discipline that was considered fairly niche, right? And that has changed with the concept of DFFT.
But that said, it is very important to emphasize that DFFT does not start from nothing. There is a lot we can build on, and this is where the positives come from.
We had the OECD Privacy Guidelines, a lot of data protection laws, if we think personal data have been built based on the principles in the Privacy Guidelines, GDPR and others, and Directive 9546, before GDPR. We see many more data protection laws, personal data protection laws, privacy laws, developed around the world, which in itself is a very positive thing, obviously.
Now, the risks of fragmentation that come with that should be addressed, but that's, you know, let's see still the positive more than the negative in this development. We need an acknowledgment that there are cross border data flows, and to build the trust you need, even if you do not need, per se, data transfer provisions in data protection laws, if you have them, then there needs to be a balance between business interests, innovation, commerce, digital trade, as Maiko was saying, and the protection of individuals, vis a vis the protection of their fundamental rights.
Now, we also have at the OECD a recommendation on enhanced access to and sharing of data, which is even broader, if you will, because it covers both personal and non personal data, and it is firstly, it is based on the fundamental of data driven innovation and that to enable data driven innovation, well, you have to take into account that there is a whole gradation, if you will, of different kinds of interests that need to be protected, and therefore, different kinds of data openness are out there. But there is this idea that there is data openness and data driven innovation at the heart, you know, of the policies, data policies, if you will, of the OECD economy, so that's 38 member countries and counting, because we work with many more than 38 countries actually. The breadth of our work is much larger.
So, the positives here is, I would say, greater awareness to the significance of data and DFFT has played a role there; more data protection laws, and therefore, a greater community of privacy professionals that, you know, sometimes in policy circles we're not aware of, but there are thousands of privacy professionals out there that are used to look at not only privacy, but data governance issues more generally, because data is an asset in itself, and personal data is only, if you will, a subset of that.
Now, it is also important to highlight that we are trying to increasingly sort of thwart out the different sources of impediments to cross border data flows, and there is a large area of those, and it is important to get back to the roots of these divergences, because then you can try building solutions on them. And so, there will be, for instance, variations between the text of data protection laws, let's say privacy laws, and in particular, the data transfer provisions.
Now, sometimes, this clash in provisions is not intentional at all, or there is just a need for clarification that some data transfer mechanisms are not there and should be there, and so, it's always difficult to change a law, but there is no intention to go against, right, standards and some of the practices out there. We just need to highlight the fact that these modifications maybe could be required. It's even easier to do this at the level of regulations and even easier to do that at the level of regulatory interpretations. And I'm very familiar with this exercise, because when I was based in Asia, that's a project that I was working on across the entire APAC region, raising awareness as to the impact of these variations and the compliance costs that come with them is really a key part of any advocacy exercise, if you will, to facilitate cross border data flows in the region and globally.
Now, when you come to variations in the very fundamentals of these and in particular data localization, I can only go back to what Robyn was saying. I mean, this is much, much harder, obviously, to tackle. But even then, since my role is to close on a positive note, I would say, even then, data localization provisions often come from the challenges of, you know, national security access, law enforcement access to data in overseas jurisdictions, and as Dave was saying, let's do a bit of myth busting here, it is very important to look at what's really happening out there. And this is where the work that the OECD has done very difficult work, believe me, this was no easy work, on building the Declaration on so called trusted government access to personal data held by private sector entities for national security and law enforcement purposes kicks in, and we believe that we can build a lot, actually, on this declaration. And I'd be happy to talk to that later.
One last thing, just to build very quickly I hadn't planned on doing that. If you allow me to take just one more minute, to build on what Bertrand was saying about privacy or partnership enhancing technologies. The OECD is working a lot on this. On my team, we have a whole workstream on privacy enhancing technologies. Technology cannot solve everything, but there are extremely promising developments here.
What is absolutely key is to look at the sustainability of the business models of best providers. And it's an ecosystem which is far from stable; yet, these technologies are very often expensive, can actually disrupt some fundamental business models, so it's not easy. At the end of the day, it's all about, you know, looking at things in a holistic way, right? What are the technologies out there? What is the business model behind each technology? How can they be used? Are they sustainable at all? Exactly like data transfer provisions need to be unpacked and delocalization requirements need to be unpacked so that in each category of challenges, we can actually try and find solutions. And that's very much the way to close. We're looking at the pledges of the DFFT agenda is by looking at the big policy objectives, the different challenges under them and how we can build a multistakeholder ecosystem to address each of them. And I think that's why we can still be very positive and look ahead. That's my role, to be positive. So, with that, I will hand it over to you, Timea.
>> TIMEA SUTO: Thank you very much, Clarisse. And in the spirit of continuing on a perhaps more positive note than all the risks that we discussed in the first part of the conversation, I'd like to turn back to all of the speakers and ask your ideas and opinions to what we can actually pull out as tangible solutions to the problems and the fragmentation risk that we've outlined in the beginning. I will ask you to keep it to three minutes each, if you can, because we've been going a bit longer in the first segment, but also keeping in mind I heard Clarisse saying the OECD works a lot on this. It is 28 countries. That's a great start. We are at 190 something in the world, so how we can also move towards that objective of elevating some of the existing solutions into the broader spectrum. Bertrand, I'll go to you first.
>> BERTRAND DE LA CHAPELLE: Yeah, I think it's important also for some of the people who are listening, either here or online. There are some comments that may be mentioned without a full understanding of what is behind the term electronic evidence and access to government, access to user data. Let me explain just very briefly.
If you have a criminal investigation for a crime that is committed in one country, the victim is in this country. The perpetrator, or alleged perpetrator, is from that country. In order to conduct the investigation, you need to have access to sometimes the email exchanges or the trace of the communications, et cetera.
The problem is that, in most cases, this is being stored by a company that is outside of a territory of the place where the crime was committed. This question of electronic evidence is becoming absolutely essential in almost any criminal investigation today, and we do not realize that in some countries, because of the lack of trust, it can take up to one year or two years to get access to this information.
And it has been mentioned, but I wanted to emphasize this and the OECD has done work in this the Cloud Act in the U.S. and the regulation in Europe have been mentioned. It is absolutely fundamental for everybody to understand that a lot of the debate about delocalization is driven also by this factor the inability to conduct criminal investigations because there is no access to the data that is needed. It is a very complex problem, but until we find a solution for this, which is basically that every single country should develop a legislation similar to the eEvidence regulation that establish clear due process mechanisms for the requests that are sent to the private companies in another country, particularly in the U.S. We will not remove one of the main incentives for that data localization. I wanted to explain this because it went through and people are not necessarily familiar.
The second thing and again, it is not a justification, it's just to understand what are the drivers. The second thing is the fundamental difference in perception regarding privacy protection between Europe and the United States. I mean, you're all familiar with the fact that the European Court of Human Rights has for the third time, or maybe we're going to have the third time or, the Schrammstein
>> ROBYN GREENE: The CJU, so the Court of Justice of the European Union, so the European Court of Human Rights. So, since Schramms 2 happened, the court has not looked at
>> BERTRAND DE LA CHAPELLE: But there is a new one. So, anyway, at two occasions at two occasions, the arrangement that was made between Europe and the United States, in order to take into account the discrepancy between the privacy rules in Europe and the U.S., has been rejected by the Courts. And there is a fundamental difference. And if I can mention.
Yek Dote. There was a G20 working group taking place a year or two years ago. And there was intense discussion on the wording around should the different countries foster insurance for interoperability or should they foster interoperability to achieve convergence? It looks completely esoteric, until you understand that behind those words is the difference between two approaches: The European approach is about adequacy, setting a standard and asking other countries to basically reach the same level, exactly, versus a American approach more about model contract clauses that basically says, even if the country as a whole doesn't match the privacy protection, if a particular company is abiding by a certain number of rules, then the transfer of data can happen. So, that's a second tension that justifies, or not and let's be honest, in many cases, the protection of privacy's also an alibi by certain countries that want to have a better surveillance of their citizens, so let's be clear. But that's the second criteria.
And the third one, very quickly, is that because of the expiration, and Maiko mentioned the data which is probably the worst analogy you can ever use for this thing there is a multi vision approach about data that completely overlooks the nature, the specific nature of digital data, which is excludable.
You're all familiar probably with the work on the reverse, on things that are non excludable, the famous comments, governing the comments. We're confronted here with something that is amazing! We can share it without depleting it. We can use it without preventing anybody else to use it. And there is a feeling because of this wrong method for as data is the new oil, that we should horde the data, that we shouldn't give it, because it's bad. If I keep it, I will make the most value out of it. And this is fundamentally wrong, because in most cases, you need to draw in forces to leverage groups of data that doesn't prevent you from using it or somebody else from using it.
So, these are three drivers that do not justify, but explain some of the trends towards, in particular, data localization and restrictions.
>> TIMEA SUTO: Thank you, Bertrand. I'm turning back online to Maiko. We've talked a little bit about your approach (audio breaking up) Sorry. Your approach from your perspective in (?)
Can you hear me all right?
>> MAIKO MEGURO: Actually, your voice was breaking down from our side.
>> TIMEA SUTO: Yes, yes, I think the microphone was a bit faulty, but I think now it's all right. So, just wanted to ask you. You've talked about Japan's approach in a national context. How do you elevate that, either in the context of the OECD or even broadly, to move some of those perspectives into the international sphere and drive towards a bit more harmonized approach?
>> MAIKO MEGURO: Okay, thank you very much for your question. I mean, in terms of making our approach internationalizing, it's actually stayed the same. So, we've put a lot of emphasis to the cloudification across the market reality of data transfer, data collection, or access of data throughout the life cycle of data internationally, to see clearly where the bottleneck or challenges lies.
Just as Bertrand said, many discussions regarding data flow or restricting data flow are based on very unclear understanding of how actually technology works or how actually data is hosted, right? So, it's really helpful to work with, for example, OECD, to actually understand that what is happening on the ground, where the risk lies, and we also have to break down the discussion, because everybody talks about, whoa, there is Internet fragmentation, data restriction is too much. Yes, this statement basically reflects the one sided truth. But we also need to think about, we need to break down those statements to see that, you know, we have to make the problem into the size of pieces that we can actually work on. Because if we break down the issue, then we can see where those multi level, multilateral incorporation is actually affected, right?
So, if you start talking about, for example, government access as a whole, on the very abstract level, it's very difficult to tackle on, but we really have to understand where actual, real bottleneck actually lies. And governments are quite open to hear your voices, but we would like to hear the voices in terms of more specific more I'm trying to find the right word but consumable size of the discussion. Because, like everybody said, data is multifaceted issue. So, if we talk about data in a very vague sense, then here comes the privacy regulators, here comes security regulators, here comes a trade negotiator, and it's very difficult to solve the problem. So, it's always helpful to work with the people like OECD to see how the data actually flows, how the data is actually hosted, where the bottleneck is, where people are actually having the issue.
And to work on this discussion, we definitely need to have the people like the panelists from the private sector in this discussion, because often, the governments do not understand how actually data is hosted in their clouds, for example. So, it's always helpful to work with multistakeholder, like different types of people from different parts of the world.
But, in order to do so in order to do so, we definitely need to formalize the multistakeholder processes at the international level. We need to have certain permanent places where people can gather and discuss and work on those issues. Because often, those digital discussions are ad hoc. We always have this very futuristic, fancy, multistakeholder ad hoc discussions, ad hoc places. But ad hoc does not always help, because often, the cases we're talking about security regulation, we're talking about privacy regulation, and these things are not something you can, like, you know, have a solution in two years.
We need to discuss things part by parts, and we need to have piling up to reach the solution at the height, right? So, which means we need to formalize the processes.
This is where Japan put a lot of political resources to establish the formalizing processes. We called it institutional arrangement partnership, where the G7 leaders actually authorized, and we really worked together with OECD to work on formalizing this process of multistakeholder participation, work on the actual solution, very much looking at the solution oriented processes. So, we're really looking at actual problem solving, rather than working the abstract discussion.
So, I think this is the really important approaches, where we are really talking about topics like data, which concerns a lot of different policies of peers and we need to also work, talk about how the actual technology works in the reality of the digital economy. I'll stop here, but I'm happy to continue.
>> TIMEA SUTO: Thank you so much, Maiko. That was very clear on what we need moving forward, and a huge thank you, also to Japan and the OECD for all the work that you are doing, in the evidence based and expert discussions being driven here. Because you've said there needs to be political will, but there also needs to be expert conversation, and sometimes the two go hand in hand. Sometimes there is also an issue there of what the political conversation is and what is the actual evidence based expert discussion.
To respond to your call on breaking things down a little bit, we'll try to get the next speakers, at least differentiating between what are the issues when we talk about non personal data and what are the issues when we talk about personal data. So, I'll turn to Dave first online and focus a little bit about what policy frameworks enable cross border flows of non personal data, then I'll ask Robyn to talk about the personal side. Dave, the floor is yours.
>> DAVID PENDLE: Sounds good, thank you. Yeah, and I also just want to reiterate my appreciation, respect, and thanks to both Japan for leading the way on DFFT for so long, in such an impactful way, and also the OECD also for convening these discussions and bringing together the right stakeholders to really kind of move the needle in ways that I think that have accelerated. And a lot of folks didn't think were quite possible not too long ago. So, I think things are getting better in a pretty quick fashion, due in large part to some of the contributors here.
Non personal data obviously comprises just a massive amount of global data. It's a big driver in the global economy. But of course, its usefulness, you know, its ability to solve problems related to global health, medicine, related to global warming, scientific research, detecting cyberattacks and protecting critical infrastructure, depends on its ability to flow across borders. And maybe I'll pause there for just a second, mindful, Timea, of the three minute request. But you know, Robyn's point about the impact on cybersecurity is a really good one. And the ability to detect cyber malicious actors today and to thwart them depends on observing certain telemetry and signals that are traveling across the Internet.
Microsoft, you know, has publicly said that we scanned about 78 trillion signals every single day, in trying to detect malicious cyber activity, and we're tracking some like 1,500 threat actors, and that has resulted in a lot of really good ability to protect the Internet as a whole, and that has made it oh so much harder, if you have limitations on the ability to see that data across borders. That's one concrete example that the cybersecurity space probably doesn't get enough attention, but that's a really critical one. So, any restrictions that are placed on non personal data really do need to remain balanced; they need to reflect the very specific purposes of that non personal data; and of course, ensure that access and usability in the transfer capability remain.
Most importantly and this is probably the theme throughout the entire panel, of course is that the approaches need to be harmonized, and it's critical that they be multilateral and interoperable. Nothing will stifle innovation more than a patchwork of onerous and sometimes conflicting regulatory requirements across jurisdictions, so that part is just so critical.
So, policy makers need to work together and learn from each other and pursue evidence based policies to reflect the nuances of this discussion and debate. And are mindful of how the digital economy operates and the many ways that society benefits.
There is some really important work going on with non personal data, DFFT and OECD are the top of the list. There are also just some really valuable success stories and precedents, many of which are on the personal data side, and I suspect Robyn will touch on those. But if I could just quickly note.
The OECD trusted Government Access Principles, one of the reasons why those were so successful is because they did exactly what we just discussed about bringing policy makers together, kind of bringing all of the stakeholders into a room. So often, different audiences in these discussions almost talk past each other. They speak from their own vantage point. I'm certainly guilty of that as well. But the way the OECD convened those discussions and brought in privacy people and national security stakeholders, which are often kind of not part of these discussions, as well as the law enforcement stakeholders and others, was I think why it was probably so successful and they were able to find as much consensus as they did. So, kind of convening the right people is such an important part of that formula.
And we've seen success with the data privacy framework, the current eEvidence sharing, negotiations between the U.S. and the EU are really critical to show that these kinds of bilateral/multilateral discussions are blossoming, and it's just the start. We need a lot more. There are a lot more countries out there that need to be represented. But when governments sit down and work on these hard problems together, they find they have more commonalities than differences. Thank you.
>> TIMEA SUTO: Thank you, Dave. Robyn?
>> ROBYN GREENE: Is this working? Okay. Well, first, I want to echo everything that Dave just said in terms of thanks to the government of Japan and to the OECD, and also, Bertrand, to you and the Datasphere Initiative around the years of work that you've done and the incredible progress that we've made. Having these kinds of permanent places to have these conversations, which I hope we have more of, and discussions around sort of exploratory, you know, or experimental approaches to regulation, like sandboxes and things like that.
Given the three minute limitation, I am going to just burn through what I think are the sort of seven key things that we should keep in mind when we're thinking about how to make sure that we are protecting personal data and promoting data free flows of trust. Many of them are covered by Dave, because ultimately, even when you're talking about non personal data, it's the same kind of, like, technical issue, and so, some of this will sound a little similar.
I think the first thing and this is very specific to personal data is to attach rights and enforceability of obligations to the data, rather than to the data subject. By doing this, you can ensure that the rights and obligations travel with the data, irrespective of where in the world the data is stored or transferred, and you don't have to worry about whether the actual, like, data subjects seeking to enforce their rights are in that same jurisdiction.
In addition to that, international collaboration is key, beyond things like the Trusted Government Access Principles and the sort of forums for discussion, like the IAP. There are opportunities for collaboration and multi stakeholder engagement and adopting shared norms around the basic things that are interfering with or that might facilitate better data free flows with trust, so this would be things like promoting adoption of global cross border privacy rules, global CBPRs. It would also be things like promoting countries becoming party to the Budapest Convention, which would also give those jurisdictions the benefits of the access to the kinds of data sharing that will happen under the second additional protocol. And so, that, I think, is one of the most important things that we can do, because that will also help to do one of the other really important things, which is increase interoperability and harmonization across laws and legal standards.
And so, you know, by joining the Budapest Convention, I think that's something that can actually help to achieve that kind of interoperability. But when you're talking about sort of like non cybercrime and evidence sharing regulations, I do think it's still extremely important to be focusing on whether and how you can improve the interoperability of domestic regulation with other jurisdiction's regulation.
The next thing is a holistic assessment of the policy goals. I think one of the problems that we have is not only that we have these conversations in silos and silo sectors, but we also think about digital policy in silos; we think about privacy is living in its own silo and safety is living in its own silo and cybersecurity. But increasingly, the reality is all of those things are in a melting pot together, and we need to be able to look at what the various policy goals are when we're assessing what our data governance frameworks are and figure out what's the best way to get to the end goal, rather than how to regulate each individual silo as perfectly as possible, because then you're not going to build that kind of intersectionality that you need, and you might wind. Up having data governance approaches that undermine data governance or cybersecurity goals or the like.
In addition to that, I think having an understanding of the legal and policy environments that invite foreign investment in data centres is critical. One of the things that we see, as many of the jurisdictions that are considering data localization requirements are doing it as a means of forcing domestic investment, and that is really not an effective way to encourage foreign investment in jurisdictions. The most successful jurisdictions that are inviting for foreign investment and building data centres have certain qualities, like rule of law, have an open regulatory environment that is very predictable, and basically, have economic environments that make it possible for companies to build data centres.
And then, there is infrastructure kind of issues and things like that, making sure that you have the kinds of, you know, stability in electricity access and clean water and things like that.
In addition to that, though, I think we need to do a lot more work to, at the outset of drafting regulations, particularly where those regulations may restrict the flows of data, making sure they're technically compatible with the Internet infrastructure and consistent with the values of an open, interoperable, and secure Internet. If that can be the North Star for all of the regulations that we put forward, then I think we'll do a much better job at promoting data flows while accomplishing many of the other policy goals.
And then, finally, look to the future. We cannot just regulate for what the, you know, what the technology of today is. We need to be regulating for what the technology of tomorrow will be. AI may be one of the best current examples of that. You know, restricting data transfers internationally is very deleterious to the development of effective and accurate AI models. They, of course, require diverse data sets, accurate data sets, and significant amounts of data in some cases.
And so, when we're thinking about this, not only in the context of AI development, but also in the context of what's going to be the next technology, I think we should be thinking about today's regulations in the context of how it will impact the future.
>> TIMEA SUTO: Thank you, Robyn. Quite a lot of mentions of expert conversations needed, overviews of policy systems, trying to figure out commonalities, holistic approaches, and a lot of mentioning of the OECD. So, Clarisse, if you'd like to respond to any of this, but also if you'd like to highlight anything in particular that the OECD does to try and drive forward these frameworks.
>> CLARISSE GIROT: Yeah, thank you so much. And thanks to everyone for, you know, praising the work of the OECD, in this space, and Japan, of course. I mean, I just boarded the train, as it already left the station. All credit to Audrey Plonk, who really initiated this work at the OECD on government access.
I think, you know, to build on what Bertrand was saying, indeed, we have a globalization of criminal evidence. Criminal evidence now is 80% of the time located in another jurisdiction, if I listen to what experts around us have been telling us, and we also see that national security agencies are now part of the global ecosystem on data flow, so it is a fact of life, right?
And it was very difficult to touch these issues beforehand, also because there is no such thing as a national security community, if you will. Like, there is a privacy community or a Global Privacy Assembly for privacy regulators, such thing in national security.
I think, indeed, to build on what Maiko was saying, what is key is to bring the right people into the room. And we shouldn't understate how difficult it can be, and particularly in the area of government access. But if we've done it in this particular field, which is probably one of the hardest, it is definitely possible in other areas.
Just FYI. You know, we've been talking a lot about the Declaration since its adoption, and there's not so much out there that we're doing with it, but there's a lot of work happening behind the curtain, so we haven't stopped with the adoption of the Declaration. We're promoting it very hard. We're working. We're inviting non OECD countries to adhere to the instrument. We've been doing a lot of work, which is extremely promising, and we hope that, you know, in 2025, we see more interesting developments to share with you.
Just another example, and I will close with that, the possibility of doing the right thing, once you have the right people in the room, building on the data free flow with trust community that we have built at the OECD as part of the so called IAP. There is a working group that feeds into a very complex area of work on the intersection of cross border payments and data frameworks, work which we do with the Financial Stability Board, Financial Action Task Force, IMF, BIS, et cetera, et cetera. It is the first time that everybody comes in the room to discuss the challenges met by cross border payments and the intersection with cross border data flow regulations.
This is happening at a fairly fast pace. It is extremely technical. It's extremely complex. You cannot make any progress without having everybody in the room talking to each other, making efforts to understand each other. It takes here, again, a lot of effort and a lot of resources, to be honest. The data free flow with trust community, this particular working group is exceptionally useful, because we bring in all the payments operators and, you know, financial institutions that feed into, you know, the expertise that we need to do the right policy work on the site. So, it's just an example, if you bring the right people, you know, there is hope.
I could mention also work with you on privacy enhancing technologies. Very happy to keep discussing with Dave and Robyn along personal data and cybersecurity issues, in particular. As long as there is a space to meet and a team that can animate a network, right, of experts, there is hope.
And I think, really, I don't want to sound naive or anything, because this takes a lot of hard work, believe us we know what it takes at the OECD but to go back to what I was saying earlier, I think there is great awareness as to the risk, the actual risks for society as a whole, not only in terms of compliance challenges for businesses to, you know, impede cross border data flows. I think this has come top of the agenda for global leaders.
Greater awareness of the solutions that are already out there, that we're not starting from scratch, as I was saying earlier. There are communities of experts out there. There is, you know, there are a number of legal frameworks out there that we can build on. And some conversations remain exceptionally hard, and maybe we need to keep working on those.
Data localization. Here, again, gradation of data localization requirements, exceptionally hard. But you know, again, if we made progress in these very complex areas, there is no reason why we cannot have, you know, sound, stable, long term discussions here, and of course, fora like the IGF are absolutely fundamental in that respect. And with that, I will stop.
>> TIMEA SUTO: Thank you so much, Clarisse. I think we have about maybe ten mens ten minutes for one or two questions from the audience, if there is anything that those who are listening to us online or here in the room might want to raise. I'm sorry, I can't see everybody from here, but yeah, maybe I'll pass the mic to you.
>> AUDIENCE: Good morning. I'm Rapid san from Cambodia. So, based on the discussion, so I would like to ask, how do you, like Meta or Microsoft or OECD, assist the developing country on the data governance?
Because for example, like in Cambodia, not only the we don't have a national governance, but the policymaker also are not well aware of the comprehensive of the data governance, especially the cross border data flow. So, my question, how you can assist the developing country? Thank you.
>> TIMEA SUTO: Thank you for your question. Are there any others that we could maybe group together, or should we take them one by one? No, I don't see anything online either, so
>> CLARISSE GIROT: I see sorry, apologies for jumping in. I see someone online, Evgeny. Sorry.
>> TIMEA SUTO: Oh. Let's go to Evgeny. Can the speaker who raised their hand online try and speak? No? Then we have another question in the room. Maybe we will go back online to the speaker. Jacques, please.
>> AUDIENCE: Thank you. My name is Jacques Peglinger. I'm also a member of the ICC delegation. But what I see in practice is also a certain difficulty to, when it comes to regulation and to handling data, to distinguish between personal data and non personal data. I think this is an absolute crucial thing for industry, in particular, consumers to know exactly, to look into which policies. So, maybe how to distinguish?
>> TIMEA SUTO: Okay. I think I heard something online, so maybe we might be able to hear a question from online, if you would like to please try again?
>> EVGENY TONKIKH: Can you hear me? Glad to see you. Very interesting discussion. My question may be more general. You touched many aspects, I guess it's very interesting. So, I would like to highlight intervention, my colleague who mentioned the legislation between the United States and Europe.
So, I guess it's a real problem, in terms of how we may, how to say, maximize approach like GDPR in Europe and approach more flexible regulations. In this case, how we can find common ground, because trying to collaborate on personal data or market data, whatever, we should use less restrictive or, how say highly restrictive approach.
In both cases, each country will be not happy, because in case of Europe, GDPR provides enough restrictive limitations, so regulations. In Russia, we have very similar. But when they are going to Asian market, for example, yes, we should have bilateral cooperations and regulated case by case.
If we try to find common ground, like for less restrictive, I'm sure with my country, could Europe agree to, has a degree level of these regulations, how we could proceed, how we find middle ground in this case. Because it's each country, like United States, Europe, Japan, have only reason why we have regulation like we have. What is the possible approach?
Because plainly speaking, I'm not believed to have some global equal or unified regulations. I guess it's impossible to reach. Thank you.
>> TIMEA SUTO: Thank you. Thank you, everyone, for your questions. So, I'd like to turn it back to the speakers and see if anybody would like to pick one question in particular or address all of them together. I think there's a common thread there of how do we drive to actual tangible solutions to this; how do we assist developing regions or those who have questions or different approaches to this; and how do we drive for commonalities? I mean, we know that it's impossible to have one single global regulation. I don't think anybody is driving for that, but I'm just wondering if there's a way, I think if speakers here have solutions to how we drive towards more harmonized or interoperable approaches.
We've lost the online room, but I hope that we can yeah, we see you now. Okay, perfect. Now I see all the speakers. Who will want to go first? Yeah, Bertrand first, and then Clarisse. Go ahead.
>> BERTRAND DE LA CHAPELLE: Quickly, a few elements. The first thing is that we are using the term "interoperability" and legal interoperability is actually an expression that I personally have pushed a lot in the last few years. But at the same time, this is a very good concept, but its implementation is not really something that we are able to describe very, very clearly. So, it's an aspirational element.
But I think we need to have a serious discussion of what do we mean by interoperability? Because we know what technical interoperability is. Legal interoperability is a little bit difficult. It's envelopes of regulation, what is required, what is acceptable, and what is forbidden, which is what in logic is called the deontic operators. How do you combine the overlap of legislations when you have a situation where they actually both apply? So, the debate that I was mentioning regarding, is it inadequacy or is it CDPR type of approach is the typical core. I think we need to explore this topic a little bit more.
The second thing is, to go to what Jacques was saying. We don't pay enough attention to non personal data. Personal data is an extremely important element, but there is so much value that can be created by non personal data that we need to be very careful not to be just obsessed by one dimension, and we need to go to other things.
What is really interesting in this question is, as he said, the frontier between the two is not as clear cut. And particularly, a field that I'm particularly interested in, which is the medical data, I think there is enormous potential in the training of AI for diagnostic. This requires an enormous amount of data to train the AI.
I think it is and Clarisse was mentioning the word (?). This is typically something that can be done using federated learning, which is very applicable. And medical imagery is something that can relatively be anonymized without too much fear of deanonymization. So, this is a perfect example of something that leverages a new technique, which is federated learning, which is different from just sharing the databases.
Using anonymization to bring the data that is normally very sensitive data to something that is anonymized, to develop something that is clearly an AI application, beneficial for humanity.
And if I want to throw in an idea here. For people who are familiar with how organ donation function, in most cases, when you have an accident, your organs can be used if you have opted in to say, yes, my organs can be used. In some countries and I think it's the case in France they have moved to an opt out, like, unless you say I don't want it to be used for transplant, if you have an accident and it can be used, the organs are going to be used.
I'm wondering whether, on medical imagery, an equivalent shouldn't be explored to say, you have the right to the personal information that is related to your medical imagery and your personal data, absolutely, but there is a global public interest to making the anonymized picture available under certain conditions for the training of AI. And I think this is a discussion that is typically around trust. It's about new technologies, like PETS, that respond to the motto I was mentioning on responsibility of unlocking the data for AI. I think we need to have a more innovative approach for how we leverage data and how we responsibly share data.
>> TIMEA SUTO: Thank you for that. Clarisse, you wanted to come in online?
>> CLARISSE GIROT: Sure, very quickly. So, first of all, to the comment, the question of our colleague from Cambodia. I think it's very important. You know, Cambodia sits within ASEAN, and there are lots of very interesting developments within ASEAN. I was part of an expert group working, an ASEAN working group on data governance, to put it very shortly. And together, we put together a set of contractual clauses, ASEAN model contractual clauses, which were sort of a simplified version that worked for the ASEAN, and basically, you know, the Asian region. And that could be articulated with the EU standard contractual clauses, which date back, some of them, to 2001. And it is actually very interesting to do the sort of benchmarking exercise.
Like, in ASEAN, given the state of the laws at the national level, we do not need more than this. And actually, it works. It's Plug N Play. The ecosystem locally is less, you know, used to complex data protection laws like we have them in Europe and in the U.S. and elsewhere. And therefore, you know, it works. Like, I was in Singapore a few weeks back, and actually, practitioners there told me that their ASEAN based business, their clients, they actually use this model ASEAN clauses. In other words, no one size fits all, for sure, and there are similar initiatives in Latin America, which are extremely interesting to watch as well.
I would point you to a report we published last year called "Moving Forward on DFFT," on data free flow with trust. We did actually a huge range of interviews with global at the global level, you know, in all regions of the world, to understand what the particular challenges were. Government access always a challenge, but you know, generally speaking, lots of very positive findings in there, lots to build on.
So, I think there is room for cooperation here. At the OECD, we're not limited by the boundaries, you know, of the 38 member countries. Far from. We do work with a lot of stakeholders outside, including governments, of course, outside the membership. Very happy to keep discussing this. It's very important to not impose the idea of harmonization. I know I talked a lot about the Brussels effect, which, it's true. Like, the GDPR sort of exported in a way. But that does not mean that beyond the principles and some key rules, like accountability, for instance, and basic data subjects, right, you have to export sometimes a complexity, which is a text that builds on long legacy with the principles. And I think there is a global acknowledgment of that, so that's a good point.
I won't go too far into the PETS conversation because it is extremely complex, just to say that at the OECD, we also have an important recommendation on health data governance, which looks, in particular, at the sharing of health data. Health data being understood very broadly. And indeed, the border between personal and non personal data can be a bit blurry, and there can be work done here, but still, there is a very clear, you know, difference between non personal data, like in the cybersecurity space, you know attacks on infrastructure, et cetera, et cetera that has nothing to do with personal data at all. So, we need to look at the border in the middle, like anonymized data, how anonymized is it? Can it be deanonymized, deidentified? There is still here a margin of maneuver and of cooperation between privacy regulators in particular with the support of industry and civil society groups whose expertise is sometimes underestimated in this space.
Anyway, there's too much to say in an hour and a half, but I'm happy to continue the conversation offline.
>> TIMEA SUTO: Thank you so much, Clarisse. I think we have three minutes left on the panel, and three panelists who haven't spoken this last round. Any last words, key takeaways from Maiko, Dave, Robyn? Go ahead, Maiko.
>> MAIKO MEGURO: For myself, so it was great to have this discussion across the private sector, international organization, and also government, which is myself, because we really see that we need to actually have the right people in the room in building the DFFT and working on the real problem and setting the right questions. This is also really proved by this panel. That's how I see this panel.
But also, we really see that so, today, we really had a lot of private sectors, heard from a lot of private sectors that different regulation, uncertain government access are really the issue. And I think through the DFFT, we really should sit together and put together the legal and technical perspective together to identify what is the real genuine problem that a company has, and also, what are the actual purpose and function that those regulations actually need to tackle on? Because Japan is actually working on these sort of exercises with experts to assess more than 1,000 regulations with view to the changing assumption and the condition following digitalization. So, we are trying to work on integrating the privacy enhancing technologies with our governance, and we are really trying to help to see that we are trying to see where the regulation comes from and what has been changed and what needs to be changed, in order to adapt our society into those digitalizing realities.
So, we really think that DFFT is materializing this sort of approaches to bring together the people from the different sectors and trying to break down the silos so that we could have more innovative solution towards a new situation which is set by the DFFT.
Also, one last note, that it is very important to keeping DFFT as the agenda for high level political discussion, like a G7, G20, or other foras, because high level political instruction is very important to push the governments to move towards innovative approaches.
So, of course, the Japanese government keeps trying, always putting the agenda of the DFFT at high level discussion, but also, please remember those, like, people from the different sectors that, actually, those high level forum really needs to set those important topics as a priority for the governments. This ends my words, so thank you very much.
>> TIMEA SUTO: Thank you, Maiko. Dave?
>> DAVID PENDLE: Just take maybe 15, 20 seconds. But cooperation on data governance requires trust, and you'll never achieve that unless we're talking to each other. So, it's been really encouraging to see a lot of governments roll up their sleeves and do just that.
Then to make a point that's been made a few times but is most critical, that these conversations on problems must be grounded in real world experience, and it's important that policymakers not solve for misperceptions, but they solve for problems and risks that are evidence based. So, bringing those right people is key to that.
So, maybe I'll just close of, in the words of Clarisse, if you bring in the right people, there is hope. Thank you.
>> TIMEA SUTO: Robyn?
>> ROBYN GREENE: Sure, it's fair for me to have to follow this group of folks, circling up their final thoughts, but I really do agree with everything that's been said.
I think the only other thing that I would add is the really critical importance of keeping in mind the technical limitations and the importance of the technical compatibility of regulations with the global Internet infrastructure and the importance of ensuring that you're looking at each of these policy issues not in a silo but in the larger context of what the policy and data governance environment looks like and what the implications of one regulation that we stricts data flows or promotes data flows could be on other policy goals. Thank you.
>> TIMEA SUTO: Thank you so much. We've run over time, so I won't take too long in wrapping this up. I would just like to highlight that we've heard quite a lot of commonalities here around needing common principles at the top, common direction at the top, and political will at the top to want to address this that needs to then translate into a holistic view based in understanding and evidence of what the issues actually are, and that that needs to be followed up by action by experts in multistakeholder forums, such as this one, to ensure that the will and the principles translate into actionable solutions that are not just looking good on paper but are actually implementable by those who work on it on the ground.
And we've heard quite a few examples on this from the work of the Jurisdiction Policy Network back in the day on eEvidence, to the work of the Datasphere, to the work by Japan and the OECD, and what companies are doing on the ground and also what they need to progress on this. So, if you want to hear more about what the private sector thinks, come by the ICC booth. We have publications and data. Please take a look. You'll also find us online. And with that, I just want to say a huge thank you to the panelists for being here and for this discussion. To all of you who stayed up late or woke up very early, thank you, as well, online, and everybody who joined us here in the room and online. And of course, a huge thanks to my team who helped us pulling this session together.
So, with that, thank you so much, and a huge round of applause to the panelists.
(Applause)