5 min with Apar Gupta, Co-Founder and Trustee, Internet Freedom Foundation, India

What were your main takeaways from your participation to the last annual meeting of the International Conference in Hong Kong?

The IDPPC conference is a unique event which through an annual conference brings the regulators tasked with implementing and forming data protection laws in their countries. It brings incredible expertise, sharing of insights, and builds a necessary dialogue to further engage with civil society and the global digital rights community. This realisation seemed to be increasingly felt by the attendees and I hope it is carried forward in subsequent editions. Much more substantively, it was fascinating to note a high level of similarity among the data protection frameworks of various jurisdictions who have adopted privacy principles from the OECD and are looking towards EU’s GDPR as a global code of best practices. While there are many disagreements on nuances, there seems to be broad consensus that the open internet and global data flows require an integrated, international approach to data protection.

How do you do you foresee the role of the International Conference in promoting privacy and data protection at international level?

Such a conference can play an anchoring role at the international level. While already many DPAs, through closed and open sessions, exchange on local challenges and regulatory responses, the presence of civil society can help bridge demands and bring greater understanding of a rights based framework for data protection. The Conference needs to develop diversity in its attendee profile to drive greater legitimacy in joint efforts at international harmonisation, through joint declarations and frameworks, which may with time take the form of treaty texts.

Can you tell us more about the ongoing news for the Internet Freedom Foundation and the most recent privacy and data protection developments in India?

The Internet Freedom Foundation is a digital rights advocacy organisation. We drive towards outcomes through strategies of public engagement, regulatory and litigation for user rights in India. We have over the past two years done considerable work on data protection and privacy organisationally, which include regular comments on draft regulations and public consultations. In order to facilitate and spur on civic action, we simplify and create explainers for our responses to these regulatory exercises. We have even approached the Courts on tenuous issues, such as the sharing of data between Whatsapp and Facebook at the Supreme Court of India, with a view to offer expert views through an intervention on a case seeking to create a right to be forgotten on public records. Much more recently, we have sent a legal notice to the Government on its plans to create a, “Social Media Communication Hub” which will survey and profile social media accounts of users in India. To us many of these problems arise from the absence of a user rights oriented data protection law in India. We have supported a community effort at putting forth a model citizen’s draft through the online campaign saveourprivacy.in.

According to you, what is the “next big thing” in the field of privacy and data protection?

The next big thing in privacy is the old last thing. It is a regulatory acknowledgment in India that innovation cannot be a blanket immunity from data protection laws. It is surveillance reform that brings a rule of law framework to the practices of intelligence organisations. It is holding large online platforms and compulsory biometric identification programs accountable and gauging their permissibility. While scholarship and expert commentary is progressing to fields of machine learning and artificial intelligence, many countries especially India have evaded their constitutional duties to even take care of the bare minimum.

Which word comes first to your mind if you think about privacy?

A sense of freedom, of autonomy, that makes me smile. It is a long walk, a short run, a gentle conversation with a friend, even an argument with my partner. All these experiences and my existence without a sense of a third eye watching over me, trying to actively manipulate my behaviour or putting me at risk. Privacy is about physical and mental freedom from an electronic leash. Privacy is about me being in control of my own life.

5 minutes with Max Schrems, Chairman NOYB

How do you do you foresee the role of the International Conference in promoting privacy and data protection at international level?

I think it will be crucial for the free flow of data to have a widely shared common understanding of rules and interpretation of these rules. Already within Europe the coordination aiming at a common understanding of laws and a similar approach to the enforcement is a complicated task – but the internet and data flows are global. It will be crucial for business and users to work on interoperability and common approaches.


With just a few days before the effective application of the GDPR, can you tell us more about your ongoing news and in particular the recent creation of NOYB?

So far we were great in Europe in passing laws and having conference on privacy – what was often lacking, was the enforcement. This was largely due to limitations in the national laws, that made enforcement for DPAs very hard, but also a certain culture in the “privacy bubble” that was seeing this fundamental right as a soft law issue. Article 80 of the GDPR foresees NGOs to have a role in supporting data subjects to also allow NGOs to bring their own cases. We think that noyb.eu can thereby facilitate the enforcement by being an outside pace maker. DPAs should also benefit by getting more targeted and researched complaints on their table.


According to you, what is the “next big thing” in the field of privacy and data protection?

I think after GDPR the next big thing will be putting this law into practice, despite all legal uncertainty in the law and the enormous economic interests to limit the impact of the law. On the regulatory front I think we will have to take a closer look at monopoly building, which often has a big overlap with privacy issues and then obviously the big issue of algorithms and AI – where we still have very limited understanding of how to tackle this issue.


Which word comes first to your mind if you think about privacy?

Lifelong battle…

5 minutes with Joe Cannataci, UN Special Rapporteur on the right to privacy

You have addressed the International Conference at its annual meeting this year, what are your main takeaways from the discussions held in Hong Kong?

I would like to see more harmony in meetings, more efforts to become really global. Clearly the conference has a decision to take: either be a club for those people who are already serious about data protection or a club of for those who want to be serious about data protection. Can it be both? Probably yes. Should it be both? Probably yes.

How do you do you foresee the role of the International Conference in promoting privacy and data protection at international level?

More or less the same but with more innovation, especially in other privacy-related areas, beyond the issue of data protection. I am keen to see the Conference to take a more active role in surveillance. Not surprising! I would be very happy if this could work in synergy with my UN mandate.

Can you tell us more about the ongoing project of a Draft legal Instrument on Government-led surveillance? Which are the next steps and what are your expectation in terms of outcome and delivery?

The legal instrument, developed jointly with EU support and under the special mandate of the UN, led common meetings gathering all stakeholders (e.g. intelligence community, police, civil society, lawyers). All of them behind closed doors in New York, Miami, Paris, Malta… Last week we had the first public meeting in Rome. Each meeting, more people… I am encouraged by the progress made. The text is now public. Nobody contested that we need a clear comprehensive global framework which deals with surveillance but some governments have opposition or reservations on a legally binding agreement. One the contrary, some governments are in favor. We received positive feedbacks on several aspects from the European bar associations, Europol, several Data Protection Authorities, some members from civil society and experts from the Council of Europe. Companies such as Facebook, Microsoft, Google, and Yahoo participated in these meetings as well. All of this is very encouraging.

We should keep on going. The text is far from being in a position to be something ready for inter-governmental discussion let alone signature. We  are not there yet. My role so far was has been to facilitate the discussion while identifying issues. And there are still issues of timing to sort out. Two questions are ahead of us: Is the draft ready? No. The answer is clear. There is a need for more consultation and further refinement of ideas, wording and solutions. Is the world ready? No, because as demonstrated, for example, in June 2017 with the issue of IT system security, the world is not able to come to an agreement on matters such as cybersecurity and international law in the field cybersecurity. The failure of the UN GGE (Group of Governmental Experts) is one of the most recent examples and a serious reminder that some countries in the world are not yet ready to come to the table in good faith even if many others are willing to make progress. Nobody can ignore the international climate of distrust, nor the lessons of history looking at how other instruments at UN level were born. They require a long period of preparation and especially time is required for countries to coalesce around the idea.

History teaches us that at least one region, preferably two or three, from the UN family should take the initiative before a new instrument is born.  So it needs to be encouraged by a significant number of countries. The next steps are for the MAPPING Project to present the instrument to the EU Commission and EU Parliament in 2018. We look forward to creating synergies over the next three years in order for the draft legal instrument to become part of the EU strategy and part of the EU roadmap on how to engage with the world when it comes to privacy, surveillance and Internet governance. I will be in Geneva on March 5th at the Human Rights Council as special rapporteur, presenting a summary of discussions and I will be including the current text in annex to give an idea of what parts of a future text could look like. But taking into account the timing consideration, I do not foresee making more concrete recommendations just now, I would rather expect that progress at regional level and cross regional collaboration would put the Human Rights Council and the UN General Assembly into a far more receptive mood in three or four  years’ time. Those three or four years will be full of work and the ideas that are now public will thus have the time to be refined further, with more consultation with stakeholders in order to gain a better understanding of what can be practically achieved. Baby steps at first…with more to be achieved during upcoming years!

According to you, what is the “next big thing” in the field of privacy and data protection?

Everything that is “smart”, especially in the context of smarts cities, IOT, connected things including AI.

Which word comes first to your mind if you think about privacy?

“Personality”, Privacy is an essential component when it comes to exercising my overarching right to the free development of my personality.