IGF 2023 - Day 1 - WS #197 Operationalizing data free flow with trust - RAW

The following are the outputs of the captioning taken during an IGF intervention. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid, but should not be treated as an authoritative record.

***

 

>> MODERATOR SUTO: Good afternoon, evening, morning, everyone. So good to have the IGF live again and have everybody with us. We will give it one more minute to see if anyone else wants to walk through the door and everybody find their seats and then we will jump right to it.

All right, I think we are ready in the room in Japan. Glad to have our online speakers as well. My name is Timea Suto. The International Chamber of Commerce convened at this IGF. It's a topic we have heard a lot about already in the past day and today. And a lot more in the past years. Especially amid the global health crisis we have been living through. We have seen how these pose risks to the very functioning of a rules based multi-lateral system and enacting policy frameworks that allow to open interoperable nature of the internet has really proved essential and we have talked a lot about that in the past years.

Trust of the global data flows are really the engine that moves the internet, that moves innovation, competitiveness, growth. And they are a powerful catalyst of socioeconomic empowerment.

However, despite this agreement we have around their usefulness and potential, we see a growing trend of mistrust and cross border data transfers. And due to many various concerns such as national security, privacy or economic safety and the fear these very important goal s could be compromised. This fuels measures like data protectionism and others which really deeper fragmentation, segregating information that under pins the broad range of socioeconomic activities and undermining cybersecurity. Unilateral policies such as this exacerbate digital divides and may have patch work of conflicting regulations.

What the international Chamber of Commerce has called for is neutral policy frameworks that are really able to unlock the benefits of data while respecting fundamental human rights, including the right to privacy and protecting public safety. This, in our opinion would reinforce in cross border data flows, boost innovation and tap into that socioeconomic potential, the benefits that data has to offer.

So there have been notable developments that progress such frameworks that go against the grain of this fragmentation of the data policy space. And there's one of them that's the most coated these days no coincidence we are in Japan data trust flows coined at the G-20 summit. Other elements that move toward this direction of enabling policy frameworks is government access of personal data held by the private sector entities and work also in the G-7 now to operationalize the DFFT with partnership. So there's a lot of work ongoing to try to set frameworks for data governance.

What we are trying to do today with the panel here and online is to try to make sense of some of these. Try to think about why we are talking of data first. Secondly, why we are talking about data flows. What are the potential. What are some of the risks. And see how we move forward to truly operationalize this concept of data free flows. With me today online and in the panel, I have a panel of experts that have dedicated time and thought to this topic. So without any further ado, let me introduce them real quickly and we will start the conversation. So first we have with us online, Ms. Nnenna Nwakanma.

To my right Raul Echeberria. Carl Gahnberg. Mr. Dave Pendle, assistant general counsel, law enforcement and national security at Microsoft. To my left here, Maarit Palovirta and online with us, we have Mr. Jakob Geiner, Vice President for European affairs at Dutch Telecom. Thanks, Jakob.

To start our conversation, I will turn to first four of our speakers. And ask them to think about what are the commitments that we have had on cross border data flows. And how are we looking into some of these risks and fragmentations that try to undo those commitments we have for maintaining data flows.

I would like our speakers to talk a little about sharing their views. What steps have been taken so far to operationalize cross-border data flows and what are some of the necessary principles to enable this.

We have a lot to go through. So without further ado I will turn first to Nnenna to discuss the data flows and  in the development context.

>> NNENNA NWAKANMA: Hello, everyone. Thanks for having me. I love to use demonstrations, they make things come alive for us.

For those of you who traveled to Kyoto, when we are talking about data flows, it is not very different from traveling. So you book a flight, you get to the airport, you go through security, you hop on the plane, you trust that you will arrive at your destination, which most of you have. And it is in the arrival of everyone that we can have this and other sessions. And we enrich ourselves the whole week and each go back to the airport, take our flights, go home and continue the work.

So my visual illustration of data flows is actually the same as human flow.

So flows follow flows. And data flows is not very different from human flow, or what we will call human mobility.

Now why is this very important to me sitting in West Africa today? The one thing that is important to me is there is revenue involved. There is money to be made. And this is like, Timea said in the opening speech, it's about growth, growing economies, it's about growing people, growing countries, growing continents. And in Africa this is very important to me. Data flows for me is first of all, a human development issue.

The other point is in the SDGs, we all recall when we were fighting for these, we said data was at the basis of the SDG, data was a product and driver and all that. So we cannot reach our development goals without data. That one is a principle that the whole world has accepted. And while we are working on these principles that's where our session today comes in. How do we operationalize this?

I come from IDA, international digital health and internet research. Everyone knows that A.I. is built on data. And if we don't have data we cannot function. (I-DAIR) applying this to health is very important to me. We have the principles of data  anonymization, I do agree. It's built on cross border data flows.

In many developing countries, we actually need data in agriculture, we need data in education, we need data especially in health. And if data doesn't flow, it's like people don't come.

So for me, data flows are very important in critical areas of development.

Now operationalizing it is why we are here. The principles, the understanding. So I'm speaking to people who are travelers and I want to come back to my initial illustration. We all know that international air travel association exists. It is not run by government alone. There is someone here from law enforcement. There is someone here from network operators. Network operators is like airline operators, right? And then there's the guy who will check you in, who is just the national security person, right? And then there's the other one who stamp your passport when you arrive, make sure everything is in order. It's a whole ecosystem out there. That's why it's important that we agree. It's not a government-only issue. That is my biggest submission today, Timea. I know that some governments have challenges with the internet and how it is built and how it runs. And I want to bring them back to the point that you should not be afraid, we can build trust together. Despite the fact that governments alone do not run  --  the aviation itself still grows. Government still get taxes, people like me still get my miles and you all get your photos with the pilot and all of that. And we all come to Kyoto and enrich ourselves and go home and keep enriching ourselves.

Here are my submissions. I know my minutes are few. Understand flows follow flow. Data flows are like human mobility, we can call it data mobility. And this is revenue creation. It is in moving, it is in confronting, it is in being used that data gets value. And this movement, this free flow of data, having it in a trusted environment is of use to every single one of us. It is even more critical for people like me in developing countries for someone like me in digital health, for someone like me in A.I. research. Thank you very much for having me. I'm glad I can participate online and I'm happy that I can contribute to the flows. Thank you.

>> MODERATOR SUTO: Thank you, Nnenna. I think sometimes it becomes esoteric and you really made that relatable. Thank you for that. And thank you for sharing the perspective also from your home country and your own experience that sometimes it is so missed in some of these conversations. And thirdly, thank you for making it clear that trust is based in dialogue and cooperation. I think we take good note of that. Sheetal, Nnenna mentioned getting Bas back to the basics and making sure operationalizing data flows is what we committed to. What are your views on that and what are the commitments of the baseline principles we think we should make to uphold data flows?

>> SHEETAL KUMAR: Thank you, and thank you for having me.

Great, thank you, Timea. It's great to be here and talk about a topic embedded in so many of the discussions we are having at the Internet Governance Forum.

I wanted to highlight two points, which I think are cross cutting and important when it comes to principles.

One is the importance of a human rights based approach. And the second is the need to address trends such as data and localisation and the types of measures that you mentioned earlier, sovereignty, et cetera, that lead to, or stem from mistrust. And that also affect human rights based approach.

Finally, I wanted to touch upon one point which I think we aren't seeing reflected enough perhaps in principles, which is about  equitable access to data.

On the first point we need to recognize there's a difference between personal data and non-personal data. I know Fellow panelists will speak to some of that. Either way, frameworks that are underpinned by human rights principles will create and enable clarity and protection of data that is so critical for trust.

And that's why I think data protection legislation embodies, of course, a lot of the principles that we require, that need to be implemented effectively, when it comes to personal data.

And for that reason, all cross-border data sharing agreements should reflect and must reflect human rights standards.

But on this point, I think one of the areas that perhaps we are not seeing enough engagement with different stakeholders is on the topics of data governance. Particularly, some parts of the world where perhaps these discussions are more difficult to access, expensive to engage with. And I just wanted to note that colleagues from consumers international, and I know some of them are here held a Day 0 event yesterday where they were addressing some of these and reflecting the need for more digital rights civil society and consumer groups to be involved in discussions across data governance, more generally. And also it's important to look at the full process. While data, the framework you mentioned, data free flow with trust considers legal mechanisms. It's important to also consider what happens after data flows when it is stored. The whole life cycle and how consumers can ensure their rights are respected throughout that life cycle.

And you mentioned the institutional arrangement for partnership, which is looking to operationalize the framework. That's an example of where I think it's very important to reflect the role of Civil Society in that, and there is a nice infographic on the website that you can access and there are different stakeholders illustrated there. But Civil Society, I think, still needs to be reflected in that, and it's missing at the moment.

Data localisation, this is something in the data free flow with trust framework is recognised to be a barrier, of course, to data flows.

It stems from various different, well, different reasons are given for data localisation, but as it shows, the world economic forum paper on the framework shows that whatever the reasons that are provided for requiring forcing data localisation, forcing data to be stored in servers in country, it doesn't have the effect that it supposedly intended, growing the local economy. It actually has detrimental effects of the local economy and can lead to surveillance and the harming of rights in countries as well.

Data is not valuable in and of itself, you need to interpret it, analyze it and do something with it to have value. That involves broader infrastructure. It requires of course technical knowledge and capacities, broader physical infrastructures and knowledge infrastructures and that is not always the case. So you need to invest in that, and some parts of the world there is inequitable access to data, ability for Civil Society and researchers to make use of data for health, you know, for reasons and in other industries and sectors as well. So that needs to be addressed.

Let me stop there and happy to pick up some of those points later.

>> MODERATOR SUTO: Thank you, Sheetal, a lot you managed to pack in the small amount of minutes we have allotted you but thank you for bringing it full circle, why we want to talk about data and what creates the value of data, linking it back into what is its potential but also reminding us that we need to commit to making this work and making data usable and making sure that it respects all kinds of expectations that we have to it, and that includes really having everyone around the table. Thank you for that.

Now with the reminders of what is the value of data and what are the commitments we need to have in place to make use of that value, I want to talk to my next two panelists and talk about the risks we face if we don't make the commitments. Raul, Nnenna mentioned the developmental risks we are facing. But what is your perspective sitting at the head of ALAI lists we may have from economic perspective if we don't make this commitment?

>> RAUL ECHEBERRIA: Thank you very much. Thank you for the invitation to speak at this panel with the distinguished colleagues.

I was thinking, I like aviation, I was thinking I have suffered a few flight cancellations in the last few months. So maybe that could be equivalent to when internet is down.

I think many people speak about, say that we are living in an economic database economy. I think this is not totally true. It's not completely true. We are living in a database society.

Every public and private services that people access are based on data and I'm speaking of head services and government services but also marketplaces and commerce and everything. But sometimes we think it's only, that data is only a problem that has relation with internet platforms or marketplaces but internet is everywhere. That's why we need the data to flow freely and we enable those services are available for everybody and create benefits for everybody in the world.

And obviously, there are rights to be protected. So I agree with Sheetal, the human rights approach.

This is very important. This is why we need the legal frameworks to ensure the data transfer and flow is secure. Create the conditions, not to block the data flow but create the safe conditions, the appropriate environment for ensuring that the data is being available in the way that is needed but protecting the rights of the people.

Free data flow should be the norm, not the exception.

We need to have good local policies but also interoperable and regional and global approaches. There are different policies that impose restriction to the flow of data. So creating restriction for people to be benefited with digital development.

Sometimes are very specific policies like data protection policies, when we discuss is very common that people misinterpret policy makers make for data transfer, for example. Some people think that is like a box with data I'm sending through DHL to somebody else. So we need to block this kind of transfer. Accept there are agreements and consent for the people. But for example, think when we are coming to Japan, and we are trying to book a hotel. From my country, I book a hotel in Japan from a platform incorporated in a country in Europe, but using payment platform that is based on the United States.

So the data is flowing through companies based in different jurisdiction, but always a part of the same. Its difficult to explain to policy makers. Basically in good faith but trying to protect the rights of the people. But sometimes policy impose restrictions to data flow. And at this moment we are dealing with exactly this case in at least three countries in Latin America.

But sometimes it's other kind of policy that's has nothing with that data transfer. But policies that deal with infrastructure or taxes or content moderation. Proposals that include the possibility to block applications in some conditions. So that's creating a very fragmented internet. And it's clear that a fragmented internet is the perfect scenario to block data flow, because it's impossible it's like to cross a river without a bridge or without a boat.

I think that's one of the challenges we have to work much more with policy makers. To try to achieve a better understanding of those concepts, data flow, fragmentation. But we also have to work among all stakeholders, not just governments.

Two more points we need to evaluate and analyze the impact of proposals, policy proposals, data flow and fragmentation. We need strong commitments among all stakeholders to not promote policies from each stakeholder group. To not promote policies that potentially could lead to fragmentation just because this is aligned with the interest of one specific group.

So I think those three points are what I leave for people for the discussion. Thank you.

>> MODERATOR SUTO: Thank you so much, Raul. And thank you for noting that very complex policy space and really what we have to take away is to look at policy measures and our thinking around data. But also other matters that might impact data in a holistic fashion, in an ecosystem view to make sure that we hear from everyone and we don't inadvertently have consequences when we don't intend to have them.

Still on this topic of trying to figure out some of the risks we are seeing around fragmenting the policy tactical governance space around data. Continuing to call online to share a couple of his thoughts what are the technical risks in fragmenting the policy space around data governance.

>> CARL GAHNBERG: Thank you very much and thank you very much for the invitation to this panel. I regret I'm not able to be there on site but looking forward to the conversation here and follow the rest of the discussions this week. I think kind of a useful starting point to think about data flows and conversely the risks of technical fragmentation is to kind of recognise that when we talk about the internet and why the been so successful, it doesn't only come down to specific technologies that you might hear about. It doesn't only come to technology like package switching or internet protocol. It really also includes how you make use of those technologies. How you puzzle them together, how you operate them. How you allow them to evolve and so forth.

One of the reasons why we are talking about internet governance for instance and the importance around the management of the DNS or IP addressing or the value of open standards development is that they are not just "Nice to have" they are really kind of intrinsic to this model of networking that we have in the internet and what's made it so successful. That's also why at the Internet Society we talk about the internet like that, the way of doing that networking, a model how you do that networking.

From this perspective, the internet has some networking features that contribute to this operationalization to data flows. These ensure you have a infrastructure that is extremely accessible, that it is extremely efficient in terms of expending connectivity and by extension data flows both within and across borders.

A simple principle in the internet that is extremely efficient, let's say you are a new network that would like to join the internet. All you need to do is negotiate an interconnection with another that is part of the global internet and that also allows yours to be part of the global internet. The this feature you only need one and suddenly you have global connectivity to everywhere in the world. And by extension data flows all across the world. So that's a really important principle in the internet that help operationalize data flows.

The other important piece is the internet is built to evolve. The really good at adapting and evolving over time and this comes down to this principle using open standards and having open architecture because you can upgrade internet over time. You can take bits and pieces and improve them without having toe tear down the whole thing, you can upgrade bits and pieces of the internet as you see the need evolve. We have seen this principle play a role cross border data flows with trust specifically. This relates to what happened about a decade ago, I'm sure people are familiar with the Snowden revelations that brought awareness of systemic surveyance of internet communications. Some might remember this provokes a very strong reaction from the internet community, all parts of course. But including amongst of the governments that wanted to restrict data flows across borders. There were some governments at the time that even wanted to prevent traffic from traversing networks in the United States and interfere with the routing system to prevent these cross border data flows.

Now of course this provoked a reaction in the internet technical community, to strengthen the internet and prevent these kind of attacks on the internet and the ITF even adopted some new guidance in its standards development processes where pervasive monitoring of this kind that was revealed in the Snowden revelations is to be understood in technical in tact and ITF community should try to mitigate those risks in the design of protocols. This was kind of enabled through the open architecture because the community could upgrade existing technologies by adding security, notably in the form of encryption to ensure you could have greater trust in data flows and notably cross border data flows.

Now the reason I'm bringing up these two cases and the link to these two principles we are seeing threats to the internet right now, they could result in internet fragmentation. They are targeting precisely these two principles I just mentioned. The internet accessibility and ability to facilitate these cross border data flows but also the ability  secure data flows through encryption. We see a worrying trend in countries like south Korea, India and EU imposing regulations that would require online services to pay large telecom operators network usage fee. So this would in effect be a termination fee that would be impose on the network. Not only would this violate net neutrality, the principle, it would also undo the fantastic progress we have seen in many of these countries in the past decade in terms of promoting safeguards through the free flow of data through net neutrality rules. But violates the principle of the internet, about the reachability and accessibility of the network. I would recommend the internet board wrote highlighting this and how these violations could affect and cause internet fragmentation.

We are seeing on the other hand this threat toward securing data in transit. We see a worrying trend governments are trying to end the use, the very technology that helped enable cross border data flows in the wake of the Snowden revelations is at risk of being outlawed in some jurisdictions. The not hard to see how this would impact cross border data flows, in the wake of a harsh attack name ly through surveillance, how open architecture would in turn translate into limiting cross border data flows. When we are talking about policy frameworks for the future, we also must recognise there are existing ones that we should also highlight and are important to preserve like net neutrality for instance. But there are principles in the internet around this open infrastructure that are valuable to have recognised. That's why we do impact assessments similar to what Raul mentioned. You would take a look at the internet, kind of what you do in the environmental space but you do the same for the internet. You think what are the consequences of some of these policies and which policis are helpful in terms of facilitating close border data flows. But I will stop talking now and pick it up later.

>> MODERATOR SUTO: Thank you for reminding us that we need to take this ecosystem view in which all stakeholders are sectors of industry, all actors, policy makers and all of us around this room need to think about what is it we are trying to achieve, protect, and how we are working around those, not to create consequences that none of us were intending to do.

So to make the bridge really, we have talked about the value, the risks. What is it we do to make this workable? And bridge the conversation from here into actually operationalizing. Let's talk about the elements of trust you all sort of referred to already. What is it we need to have in place to mitigate some of these risks? And how do we move forward, we need to have those trustworthy environment that enable data flow.

To start first on this, I will turn to some of our industry speakers. Dave, how do you see this from the Microsoft perspective? What are some of the causes and drivers of risks we need to think about as we aim to build trust?

>> DAVE PENDLE: Thanks, Timea. I sit on Microsoft's law enforcement and national security team. Receives just over 50,000 requests from governments each year from around the world, seeking data pertaining to well over 100,000 users. This work handling third-party government requests for data, it's often at the centre of this trust discussion, as we have already seen a bit. And technology providers, for better or worse are often at the centre or crossroads of this debate between security and privacy, generally.

And we do play a public safety role, I think an important one. Governments need to obtain certain data under appropriate circumstances to investigate serious crimes. I think most folks agree with that.

We also play also another important role that is kind of a fundamental guardrail to ensure requests for customer data are lawful, compulsory and consistent with fundamental rights including the right to privacy. But this leads to mistrust and to be blunt, the fear of government access to data has emerged as a pretty significant threat of data free flow. That threatens the foundation of the internet itself. The World Wide Web is now governed by a web of conflicting and increasingly restrictive laws. Whether they are by legitimate sovereignty or competition concerns or desire to maintain access to data in a country, either through tax on encryption. The laws that govern lawful access to data around the world are increasingly resulting in a more fragmented internet.

That presents some significant risks some that have been raised on this panel and IGF and across the world. The loss of connectivity leaving regions and people behind and out of the digital transformation is probably the most significant one. The undermining of the global digital economy and trillions of trade at risk also re significant.

Some risks of fragmentation are probably less discussed. The risk to public safety, you know most serious crimes have some connection to the internet. And governments, you know, generally, if they are rights a buyingd  abiding and rule of law, there is a need to seek data under appropriate circumstances to counter serious crime. And cybersecurity mentioned, I think Timea, you mentioned at the outset, it's not often discussed but its essentially putting blinders onto certain portions of the internet that cybersecurity professionals trying to detect and counter sophisticated cybersecurity attackers aren't going to be able to see what's happening.

Microsoft, I think it's over now, 40 trillion signals a day through a global threat landscape are analyzed every single day trying to detect the cyber threats and tell our customers and users if they have been compromised and prevent that from happening. My view perceived tension between privacy and security, which is at the heart of this mistrust is in many ways exists more in theory than reality.

I say that because when governments sit down to discuss these issues related to lawful access and these are tough issues but when they sit down to talk about what they do, they tend to agree and tend to agree on basic rules of the road. And the OECD process just proved that. The OECD process, which Japan was a major driver of, bringing together 38 countries in pursuit of data free flow with trust. They brought in experts and national security and experts and talk about what they do. They came up with multiple principles you can't go after people because of their race or religion or other protected statuses. Prior approval, redress. The governments tend to kind of follow rights, governments tend to follow the same principles when seeking access to data. This could be a blueprint for promoting the free flow of data generally.

We ultimate need more than shared principles, we need binding agreements. Data access agreements. The U.S. has been negotiating several with different countries including one right now with the E.U.

Along with E.U./U.S. data privacy framework, signing of protocol by a dozen countries was a significant step forward but looking ahead we need more. It's clear we need interoperable, frameworks that reflect the nuances of this debate. And frameworks that recognise the legitimate need for governments to access data, at least different types for public safety. I don't just work on policy at Microsoft, I'm in the compliance business as well. Just since sitting here I received emails and alerts there have been emergency requests that come into our team that staffs those 24 hours a day, every day of the year. There's a legitimate public safety need to respond when appropriate. The need for broader inclusivity. A lot of those agreements are transAtlantic agreements and that leaves much of the world out of the picture. That's one big area of need. And framework that reflects that trust is earned. For data to flow freely there must be protective standards in the rule of law. That is really at the core here. If you are not respecting the human rights of all of the users then that framework is woefully inadequate. Much has been done over the last year but more remains to be done.

>> MODERATOR SUTO: Thank you for the reminder and setting goals we should be striving to.

You talked about, we all talked about data. Haven't really made a distinction between data that is personal and non--personal. They are obviously very different risks attach to either. And neither of those are really monoliths in themselves. So there's a lot of nuance to unpack here. We won't endeavor to do that in this panel but I will ask the next two panelists to do different elements.

Maarit when we talk about privacy protection and protection of personal data?

>> MAARIT PALOVIRTA: Okay. So thank you, Timea. I will try to respond to the exact angles you are asking. But thankful we also have Jakob after myself who can maybe complement. Maybe I will adjust that frame from the telecoms operators point of view. Indeed we heard a lot of things already and many buzzwords were already mentioned. But if you think about data, data traffic, of course, you know, all this data traffic is really underpinned by the networks. It is the telecom operators. Of course for the companies that we at ETNO represent, this is the bread and butter of our every day work. There's a lot of innovation, a lot of things changing in the way of data traffic patterns, et cetera. There's a lot of talk about visualization, cloud, 5G, this is great, but the way data is moving in the networks is changing.  And the fact data is being stored at the edge, the linkage between the device and computing is different. Then of course with all of this, we also need to look at the cross-border collaboration aspect as data of course needs to move globally.

In order to provide telecom services at a global level, operators need collaboration with vendors, with partners, with different kinds of providers. And in fact with this virtualization, the role of these third party providers just increases. And then if you add on top of that, I think it was Nnenna who mentioned A.I., IOT, new technologies that are really powers by troves of data. Then we are really looking at more and more traffic and also more and more cross country traffic.

So then moving to the policy framing and especially the privacy issues. In the past years, I guess the European Union in a way was a kick starter here because the GDPR happened, I think it was 2018. And well, for better or worse, you may argue, we don't want to be judging here. But well, this new framework provided stability in Europe. But also made somehow a global model if you like for regulatory framing for privacy issues. Of course there are different variations but there was a wave of other regulatory procedures and processes in the world, South America, Asia, et cetera

. And while you may say whatever you like about the privacy regulations I think one thing is clear, these new regulatory developments actually have improved trust and confidence among citizens and we should also keep in mind that of course the internet is only used for as long as people feel it is trustworthy. So there is, you know, we are trying to find a balance between on one hand innovation and the economic activity. But also then with privacy.

And it needs to be a balanced approach. And this has been traditionally of course a European point of view. But we also think that could be interesting to other parts of the world.

And then you know, if you now think about the regulatory discussions that are happening, well very much here in Japan as well but elsewhere in the world on artificial intelligence we need to establish common basis to promote regulatory coherence and the simplification on a global scale. I think it's not really realistic to say we will have exactly the same thing everywhere but there's some level of interoperability between regulations so we have a kind of functional regulatory framing for both private sector parties and for businesses.

On the internet fragmentation, there was already a lot of talk. You know, just maybe to say and to link back to these policies that, well if you look at it only from that point of view, you can say there's a risk of fragmentation with these policies if everyone implements a different type of policy. But then we should keep in mind these policies often have a positive impact on the internet for example, increasing trust. So we should be a little bit, you know, mitigated the way we look at these issues because they often have two facets. Of course going into Carl's comments on open standards. I think many people, most people agree and us included, this is the starting point for an open internet. And there is no need or you know, it would be risky to start meddling.

We can look at commercial, net neutrality aim up, Europe is one of the few places we have regulation on the open internet, which ensures free flow traffic and this has been the case a long time now. We hear the U.S. is again starting the discussion on the same topic as well.

So they can be also business practices, I guess. We talk sometimes about environments that could cause fragmentation on the connectivity but  also on the content side. Timea, you mentioned keywords I need to be boring in only to agree, we also believe the good balance whereby we promote innovation and including things like global digital commerce. However then we also kind of keep the rights and values in the background is best achieved through a regulatory framework that is horizontal so not sector specific. Flexible, interoperable and neutral.

As already as well said we need to also see how we can promote cooperation and broadening of the jurisdictional horizons in order to make sure that the interoperability factor is somehow well clearer and also practical. From a European perspective, of course, just to go back to David's comments as well, the European policy makers have agreed making data free flow area agreements between several countries, not only the U.S. but also Japan and South Korea and private sector perspective this is great, it provides regulatory certainty. Would encourage our policy makers in Europe to expand these agreements and make sure they come to other parts of the world, such as Asia, Latin America and Africa. I will stop there.

>> MODERATOR SUTO: Thank you, Maarit. We agree on a lot of things and time is also short. But I will turn to our last panellist for this segment. Staying in Europe, we are actually moving to Europe because we are going to have Jakob join us online. If you want to build on what Maarit said and David as well, maybe I can ask you to focus on non-personal data transfer sharing.

>> JAKOB GREINER: Thank you. I like how Nnenna set the stage with flight routes. I would like to come back to that in my next five minutes. Just to say first off, I think this whole panel shows we all agree that data flows are super important to tackle some of the most pressing challenges to date, be it environmental, economic, health, safety. But also economic challenges. I think money needs to be made and is being made with data flows, I fully agree. The question with a global footprint being present in the U.S. is the money or is the data flow fair distributed to in our internet system? And to start talking about data flows we need to take a look also at the internet ecosystem of today.

The free flow of data has for long been the very essence of the internet. But I would also say its safe to say over the past years this architecture in our view has also changed quite fundamentally and these changes have impact on the way data is being used and transferred. What do I mean by that? I give an example of the U.S. we are present on both sides of the Atlantic.

If you look where global  internet traffic runs, it's almost 70% running through the proprietary networks of a few companies, they have privately expanded their own infrastructures, their backbones. You could more or less say they are a public airport. The public airport is subject to rules and regulations while the private airport doesn't have the same regulation. Though we are basically huge airports connecting the world. This needs to be taken into account when looking at how data flows are today globally flowing.

Second, when it comes to the distribution of global data flows, and again here, taking the E.U./U.S. example, our largest partner when it comes to data flows but distribution is rather one-sided. Seems the planes of Europe are flying across the United States, but they are not coming back. Over 90% of E.U. company based acceptd data to the U.S., that's great for U.S. but not so great for competitiveness in Europe. I'm describing a status quo, I'm not saying where the flaws are. That needs to be taken into account when we talk about data flows being an economic driver. The rather one sided rather than reciprocal. The notion of trust. Coming from Europe, trust and security is essential. And there is no, and should not be any data flow if trust and security are undermined.

We have team that Europe has over the past years developed a dense regulatory framework to ensure that citizens, public bodies but of course companies can rely on the protection of the data. What started with the GDPR and personal data is more and more moving now also towards safeguards for sensitive non--personal data. Trade secrets, intellectual property by the recently adopted E.U. data act. We welcome that. Trust for companies is not only perceived to lie within personal data but of course, non-personal data. A good example where you can see globally, I think need to balance legitimate privacy concerns, the reason, what is it the third or fourth attempt to have a stable U.S./E.U. privacy framework agreement so companies can exchange databased on equal level of data protection. I think that's something very welcome from a perspective of a European company. But I think now it is very important that the implementation of this framework shows its teeth. That for example, the restrictions to the access of data by security and intelligence agencies on the U.S. side is now really happening based on these agreements. And by that, I think we can see that there is a balance reachable between legitimate security concerns but at the same time also the free flow of data.

Let me move lastly to the area of cloud. Because I think Maarit said it before, the whole internet, the whole economic activity globally is moving more virtualization, cloudfication atmosphere. If we look at cloud policy at the moment in Europe, some might say, as David said, this could lead to fragmentation. This is rather almost protectionist what is happening, because data flows are being restricted. There is localisation happening but it's happening for a cause, we believe this is not against the free flow data principle, it actually provides the security and trust needed so data flows are happening.

What do I mean by that? If you look today at the concerns of European businesses, almost 70% of cloud users consider access to their cloud data is a risk, and that's why they aren't putting their data in the cloud of cloud providers. And that's not again because of personal data but also because of industrial non-personal data. In our view it's only consquent and right data flows here are restricted and localized. That's what the E.U. Data Act has been aiming for and right now the current discussion around cloud certification security scheme is aiming towards. So by that, increasing trust, increasing security, and by that ultimately leading to more global data flows, not less.

So again, I think it's not about, you know, nations like the European Union trying to somehow take a step in a different direction but it basically follows the need for more trust and security when flows are happening.

So to sum it up, I think the vital we have a common approach on data flows but trust requires uneven distribution of data flows as described it. And the change nature of the internet architecture needs to be taken into account. And the need to ensure effective protection of data, personal or non-personal data is happening, where it is stored and where it is processed. By that I think we all look for the same goals, enabling data with trust. Thank you so much.

>> MODERATOR SUTO: Thank you, Jakob, and bringing the points full circle in pointing out fragmentation can happen for very different aspects. But also if we don't step up our game and have secure, trusted data flows then we are going to end up in a situation we have a patch work of regulations that actually go against the purpose of why we wanted them in place in the first place. Which is to enable digitalisation to enable data flows that drives the development of our societies, economies and personal developments we all strive for.

We have gone a bit over time from what we planned of this first part of the panel. We want to give time for the audience to ask questions. I received two questions online. I'm sure there are some in the room. For those of you who might want to have a question, put your hands up or start lining up at the microphone. I will ask the panel the two questions we received online. One is about security, and asking how we can ensure state-of-the-art security to protect user data.

And the second question is really around safety, trust, security as well. How can we make sure we don't end up with one specific group or actor or stakeholder taking control of data and what are some of the checks and balances we can have around that? So as people in the room think if they want to ask a question, I want to see if one of our panelists might want to answer these questions around security?

Sheetal?

>> SHEETAL KUMAR: I was saying, I think Carl made a good point earlier about security, how technical and legal measures are needed to ensure data is kept securely. One of the technical measures is encryption and whether it is data in transit or data being stored, it is really an integral part of a security infrastructure for data. And what we are seeing, I think that you spoke to, Carl, is and others here is misalignment sometimes unfortunately of different attempts to address different issues that are actually quite connected or because they are not aligned with a human-rights based approach may end up doing more harm than good. One of the ways to address that is to definitely ensure you are engaging with all stakeholders. And using tools like internet impact assessments or human rights impact assessments to assess whether proposed measures are actually going to achieve the intended effect or not. And what other options there are to proportionally and actually do, what is intended instead of perhaps with the aim of providing more safety, in the end you create more insecure technology. So that I think was a key point shared earlier and I hope responds to the question.

>> MODERATOR SUTO: Thanks.

>> NNENNA NWAKANMA: If I may? I think globally we have this, I don't know, I'm trying to use a word that is contained, diplomatic word, we kind of beat our chest. We have this glorification of saying once the E.U. framework and the U.S. framework agree, then the whole world agrees. I think that is not correct. The U.S. is 300 million, the E.U. is about 450. That's 750 million out of 8 billion. Less than 10%. I don't think we should follow this particular way, we should follow the way with international travel, having London, Paris and New York be the hub of our lives. I think that we should fight against. The future of the world is in Asia. The future of the world is in Africa. Humans are the people who create data. And I think my own plea to ICC is as we go ahead, we need to be mindful of the fact E.U./U.S. does not mean global. That's just my points today. We have been doing in travel, we have been doing it visas and doing it in many other flows. We should ensure that the internet and free data flows should not be an E.U./U.S. issue. Thank you.

>> MODERATOR SUTO: Thanks, Nnenna. I think we have a good testimony into the globality, you would see the people lining up here to ask questions from the panel. I hope they will bring in some of the diversity of points of view you are asking.

I'm going to ask all of you to put your questions up. I hope you will be brief. And I will ask the panel to try to address them collectively. I will start there and go there and go back and forth. Please?

>> AUDIENCE: I'm dai chi, operator of local ISP in Japan. I will ask opinion about authority to verify the data flow or data itself is trust or honored. If there is a possibility to establish new authority to verify the data flow or encryption is correct or not how to accommodate this?

>> MODERATOR SUTO: Thank you. Gentleman over here?

>> I'm Henry and I think mention some of the results from our meeting yesterday with several groups in the region. I think the question that was raised was about what happens not just when we send the data but happens afterwards. Looking at consumer trust, one of the things we are finding, consumers want to know they can get redress if anything goes wrong. That is not like a fight and forget. What we see in some situations when we look at data free flows. So I was wondering how do you see this redress working and when we talk  about operationalize how can we do so in a way that creates trust.

>> MODERATOR SUTO: Thank you.

>> ICT international alliance, I have a comment rather than a question. The first comment is regard to influence of GDPR regard to the law. As Nnenna said, data flow is not just about GDPR or E.U. and the U.S.A.

What we are seeing now is world is following first step of E.U. in that regard. But we need data flow from business. We need data flow interoperability and some form of cost control, that's very necessary.

E.U. wanted to be free flow indeed. The question, that is to Pendle. I want to ask you, how do you cope with accessing data when GDPR is closed? And how do you access it? Because I know your need for intellectual property protection and attacks and what have you. Thank you.

>> MODERATOR SUTO: Thank you, please.

>> AUDIENCE: Cato from Japan, representing the private sector. Since we are talking from the private sector ICC point of view, I'm just wondering if any from business side to have good solution on this? We talked about some commercial solutions which may not be working right now. And encryption is another technology questions we have questions where it stands for neutrality and so on.

In Japan I had some debate recently that trust service can be a solution. Maybe a local solution. Or could increase more localisation. Some thinking of this kind where you can, you know, commercial sector, or business sector can make an actual proposal. Are there any such activities or initiatives ICC or you have some ideas about this? That's my question, thank you.

>> MODERATOR SUTO: Thank you very much.

>> AUDIENCE: I'm an academic, I have a question regarding telecommunication systems.

So a few years ago the deployment of 5G led to global crisis and we saw submarine cables being rerouted or cancelled and some companies wouldn't authorize broadband services start a U.S. company. My question, do you see data flow with trust schemes intensifying these tensions regarding the global telecommunications infrastructure?

>> MODERATOR SUTO: Thank you for that. The gentleman over here. Sorry. We are going to go here first and then I will turn to you.

>> Thank you, good afternoon, my name is (?) working for Japanese think tank. My question is which forum will be better for operationalizing (?) because there are so many forum discussing DFFT. World Trade Organization, started G 50. Other organisations such as OECD which there was like government access declaration. The Japanese government is now prone to separation IAP as a new forum. So what kind of forum would be better, how can we avoid the  --  of these forums.

>> MODERATOR SUTO: Thank you.

>> 

>> AUDIENCE: This is  --  from Nepal. We need to talk about cross border flow data. It's difficult to have regulation. We have to think about common standards and principles. In this context. Do you think that like our title, we should have some forum we could work on this common privacy security and intellectual property type of things. If not, how the countries developing countries and economies like the U.S., EU and Japan should collaborate and work with the developing and LDC countries? This is my question.

>> MODERATOR SUTO: Thank you so much. Thank you for everyone for asking your questions. It's really great to see, in this huge room all the input of our panel wasn't lost and there's really interaction. It's really strange looking at, it's such a big room but I'm glad you are here with us and engaged in the conversation.

So we heard about 6-7 questions here regarding how do we make sure that the trust is enabled with the right authority and clarity and who can access it and who can't. Questions around redressing, having redress mechanisms for violation of rights. Questions about how do companies cope with such a fragmented environment especially when they are required to provide the data for public safety reasons. Questions on how do we find commercial solutions, can we find commercial solutions in these challenges? Is there geopolitical tension that risks to be heightened. Which is the best forum to address some of these questions and how do we include LDCs in some of these conversations.

As I'm going to ask our panelists to share their final remarks from this conversation I will extend the one minute we gave to to two minutes and try to pick your question or some of the questions that were asked and then perhaps leave us with the last thing you think we should learn from today's conversation and the global state of play around data governance.

I will go in the order you all have spoken. Some of you have been silenced since you first spoke, I will turn to Nnenna first, if you want to pick one or two of these questions and share your remarks.

>> NNENNA NWAKANMA: Thank you, Timea and thanks everyone for your rich contributions. I would like to speak to the duplication of forum and where we should be having these conversations. Conversations are a great thing. Legally constraining conversations are more important. So my answer to that question would be, let's have conversations in multiple places. Let's have momentum conversations at global level. But when it comes to decisions, let's make them firm so we can hold stakeholders responsible and rather this will be done at the local level. I'm speaking as an African, speaking from West Africa at this time. I don't think OECD should be the place to hold conversations that will be of global constraining value. I would rather the WGO, the UN and related agencies be the places we make these decisions, even while we have conversation. I think that's why we come to IGF. Conversations must continue at global level, regional level, private partnerships, national levels. Let's have these conversations even within Civil Society, we have human rights issues we can reflect on. Think tanks. But then when it comes to global decisions let's make them at U.N. level. Thank you and have a great evening.

>> MODERATOR SUTO: Thank you, and enjoy the rest of your day, thank you for being here with us. Sheetal?

>> SHEETAL KUMAR: Thank you. Just to respond to the point about where to have discussions. I think as Nnenna said they are being had in various places but not everyone can access them. And not everyone understands engaging in the different ways these conversations intersect. Whether they are around e-commerce, trade and data flows, or data protection. The standards that protect data, the technical standards. So there does need to be much more openness and engagement from a wide range of stakeholders. Not necessarily the creation of new forums. What I would say as well in relation whether protecting personal data or non-personal data both requires strong levels of protection. What we would like to see and have in some cases is a legal frameworks that provide for that. We need to see it implemented and respond to the point about remedy.

We need to see what is provided for the rights that are provided for, for example, in legal frameworks and implemented. A leveling up, but leveling higher to higher human rights standards or to human rights standards across-the-board. That would allow for the trust we have been discussing to manifest because if we have those high standards across-the-board, across jurisdictions that will support the trust and enable free flow. Finally, to that point I made earlier about the importance of ensuring that we have the broader infrastructures in place for people to make use of data, for more equitable access, which is particularly important as we are talking about artificial intelligence and harnessing that. Fundamentally that's about data processing so the ability to do that requires a wide range of capacities and I think we need to pay attention to that as well. Thank you.

>> MODERATOR SUTO: Thank you so much, Sheetal.

>> Thank you so much. I think it brought new issues to the discussion. I will just refrain to a few comments.

I am going to say exactly what Nnenna said before, about the fact that worry more than the United States and Europe. I understand that some cases players could feel they are equal relations but the history is plenty and still plenty inequal relationships between regions and countries and coming from Latin America, that's our relation, the history of our relation with Europe is those cases.

And while that some people think there is no protection in some measures that are being discussed or promoted Europe, being seen from outside Europe they look protectionist. This is what I said before, we have to be careful that in good faith when they try to promote that are good at fixing market failures or problems we have to be very careful with the consequences that those policies would bring to the whole internet, not only for one country or one region. We need a strong commitment among stakeholders that we will depend and work together for a non-fragmented internet.

I agree very much with what Maarit said before, they bring more security and trust, I agree very much with that. The problem we face is that not all the policies are good. And not all the proposals are good. And in regions like Latin America where we did with many different jurisdiction, many more than 30 countries in Latin America and Caribbean together, so every country promoting their own different policies, we have to be very careful because the risk of those policies creating chaos or negative impacts and uncertainty is big, coming back to the European thing, that is one thing we are living in Latin America, there is a huge tend to copy and paste policies from Europe. Policies that could be good for Europe, I'm not arguing that, aren't necessarily good for Latin America. I guess the same happens with Africa, I don't want to make that  --

So that we need more work among all stakeholders. Try, as I said before, try to promote discussions about the concepts of fragmentation. Importance of data flow and make policy makers realise what is access.

>> MODERATOR SUTO: Thank you, Raul. For the time we have 8-10 minutes for the rest of the speakers. If you could dry to be short with your answers. We had a lot of engagement from the floor, that is good but we need to manage the time as well. Carl for you for some last considerations?

>> CARL GAHNBERG: Thank you, I will try to keep it short. I want to try to help address the questions from participants. Encryption. Questions I heard data localisation or physical infrastructure or restrictions on connecting to physical infrastructure, a lot of those challenges you can kind of resolve by allowing data to be encrypted because it takes the importance of equality out of the equation. If my data in Switzerland is unencrypted then it's safer if it'sen   --  encrypted on the other side of the world. It's making sure that you have the technical means to secure the data like encryption and that also allows us to have this global network, we can secure across cross border data flows. The other thing I want to address is which forum to talk about this. To Nnenna's point, to ensuring inclusiveness in these discussions it's important. All of the fora have some form of barriers to participation. I think it's important to allow these discussions to happen, I'm not worried, as long as there's a path to a shared perspective. I think IGF is good in that regard. National or regional IGFs is met with  crescendo of international IGF. Then we had a question around principles in thinking about this globally. I think there's a principle that I know has been used in both the environmental space. And I know used in net security, you should think globally but act locally. I think that's a good motto for us as we think about addressing the challenges. You should always be a question  --  it's a global Civil Society Civil Society. To think globally while are you doing these things locally is important. Thank you.

>> MODERATOR SUTO: Thank you, Carl. Dave?

>> DAVE PENDLE: I will try to be brief. How does an operator comply in this web complex of laws. One question, one of our fundamental principles is we should not be forced to violate one country's laws in order to comply with another's. That's a critical point. And there's concern about U.S. laws in our world. And understand that. One thing that is fortunate about U.S. law is it does account for the ability to challenge and demand. If it conflicts, comity, it makes you laugh but it ends in -ity.

Ensuring that users are notified when their data is requested and everybody understands what authorities can and cannot do.  ultimately either the provider putting up statistics every six months or more often to show what is happening can dispel myths. Quickly on more appropriate forum, certainly we need broad participation. The OECD got a lot of things right and they brought a lot of people to the table that haven't sat at the table before, including private voices, data regulators, law enforcement national security folks with some input from Civil Society and business. We need more input and more multi-lateral agreements. If you look at how long the bilateral agreements take, it will take years to cover all the countries in the world, unless we go more multi-laterally. Governments need to roll up their sleeves and get to work on that.

>> MODERATOR SUTO: Thanks, Dave. Maarit?

>> MAARIT PALOVIRTA: Geo politics is of the day, we may talk about electronic vehicles or other things. There's a little bit of this at the moment in the world. What I would like to emphasize though is that from our perspective as a private sector. Association representing the private sector it's a thin line between promoting competitiveness of a certain region and being outright competitive. It's a fine line to walk, for any industry or any private sector organisation in this, well, in this globe today, most of us do need a global market for some purpose. I was in the beginning making comments about increasing third party engagement for cross border data with the new developments in the telecom industry.

So I think that's good to keep in mind. Maybe just quickly on the institutional framing. It's good to have discussions. It's good to see how we can develop these common principles. And here I'm not trying to push for any European model, but there are then regions such as Europe who already have regulations in place on  these things, who are first movers. So it's good from our perspective not to duplicator create something that will be then another layer on top of it. But if it's principles or things like that, I think I fully endorse that. Thank you.

>> MODERATOR SUTO: Thank you, Maarit. Jakob?

>> JAKOB GREINER: I like what Carl said, think globally but act locally. That's the vision for every local company but if you want to incentivize them to put their data in the globe, then you need to give these companies assurances their data cannot be accessed. And David highlighted, I think there are conflicts between different laws at the moment that make it very difficult for cloud providers to adhere to one or the other but in the end they need to. A solution at the moment some nations are going, well let's find frameworks that higher sensitive data prevent data access. If that means only a local cloud provider should be the only company that deal with the data that's the solution at the moment that's working.

Coming to Raul's point, I'm looking at E.U. focus but you are right, goes in global forum. These rules should be harmonized as much as possible and should be fora where governments get together and highlight what they are doing.

I talked about Europe, these rules exist in the U.S. and I'm sure in other nations. So I think coming together, making a mapping and best practices of what is happening on the legislative side across nations not only E.U. and U.S.

Ultimately both consumer enterprises like ourselves want legal certainty. That's most important. If we get that by harmonizing the rules globally then we can also enable global data flows and not the local data flows.

>> MODERATOR SUTO: Thank you so much. And thanks, really for being here. We finished almost on time. All that is left for me is to summarize, which I won't do because we have run out of time.

No, really.

Just a note on account of last words. Some of the things we were talking about how we operationalize this concept of data flows and I think we drew out quite a few good lessons worth mentioning even if just telegraphically and without any effort here to be comprehensive. The value of partnerships you highlighted. The value of having all stakeholders at the table which includes making sure forums are open, and global inclusiveness we talk about, that also needs to happen at the policy-making level.

When we are talking about technology and how technology can actually help in some of these issues, thinking about encryption, thinking about trance pair   --  transparency, and the levels of policies. When we think about what are good regulations. What are good policy principles on which we start acting you mentioned creating safe spaces for dialogue and ensuring best practices. And then when we talk about the role of business, I think it was very clear, not to put business at the middle around some of these ping pong jurisdictional legal policy conversations but really make sure all stakeholders are at the table and we think holistically and in a multistakeholder fashion about normative principle-based conversations but then make sure those trickle down at the local level into clear implementation, into clear capacity building. So that's what I really captured and it's really a telegraphic summary. There's a lot more we can say about this. There's a lot of resource that's we put into the website of this session, including some of the ICC papers. But also a number of the papers and reference material that speakers have mentioned today. I do encourage you to take a look. We are still here until the end of the forum. So come to the ICC booth and come find us and we can share that with you as well. I wish you a good rest of the debates and huge thanks to my panelists both online and here on the panel. Thank you and have a good rest of the day.