ALSA Conference 2019

Privacy Rights
24​th​ – 29​th​ January, 2019

Greetings from AC Thailand Academic team!

Provided informations below are the brief guidelines on where and how you should
start your research with the links to each sub-topics. There are also questions that
need to be answered by delegates on the table, and some issues which give rise to a
debate. More readings and research in depth in each topic are highly encouraged
for the better outcome and fruitful discussion of each tables. Please kindly note that
all delegates are expected to have read and understood the substantive materials of
their respective tables since these topics are mostly material-based and basic
knowledge before the discussion is required.
Table Discussion 1
Comparative Perspective of Data Protection: Impact of GDPR,
Challenges, and Solution
Introduction

In the online era where information is easily accessible, more and more personal details are
stored inside the e-database, which are not always secured. The GDPR comes into hands as the
main solution to protect the EU citizens and to ensure the rule of law against data privacy
violation. By introducing significant rights such as the right to data portability, right to object,
and the right to be forgotten, also leads to harsh operational impacts in domestically and
internationally. Though EU has established rules for companies, in both private and public
sectors to prepare for GDPR-compliance. However, there are still some loopholes emerging that
show the imperfections whether it is controllers outside EU, invisible data chain, or the massive
internal change inside these private companies. This topic aims to foster the realization of
positive impact and challenges that the law placed on private firms and individuals. The burdens
of this regulation can be discussed in the two side of coin. Participants will compare the standard
of privacy rights protection from their respective jurisdiction in order to learn more from the
other participants and bridging the barriers.

Questions and expectations from delegates

1. Understanding the GDPR

● Research on a brief introduction of historical development on issue of privacy
protection/data privacy before the arrival of GDPR
○ Relavant materials;
○ https://edps.europa.eu/data-protection/data-protection/legislation/history-general-
data-protection-regulation_en
○ https://eurocloud.org/news/article/a-brief-history-of-data-protection-how-did-it-all
-start/

● What is GDPR and its purpose?

○ https://www.ouritdept.co.uk/what-is-gdpr/
○ https://www.whatisgdpr.eu/

● Understand its principles and relevant key issues

○ Key issues such as actors in the field (government sector, private sectors and
individual)
 ○ Criticism of GDPR in other perspective such as the concept economic
protectionism
○ https://hbr.org/2018/04/gdpr-and-the-end-of-the-internets-grand-bargain

● Be able to grasp basics of the law and subject matters.

○ This link provides basic summary of the GDPR key facts and general issues
mentioned in the law.
○ http://www.appaforum.org/resources/guidance/appa-gdpr-general-information-do
cument.html
Basic material:​ ​https://gdpr-info.eu/

2. Aware of its impact, especially in Asian countries.

● Influence of GDPR towards the law in each country?

● Understanding the differences/standard in respective jurisdictions in Asian countries
● Benefit from the policy to individual’s daily life
● Implementation cost

Basic material:
● https://opensource.com/article/18/4/gdpr-impact
● https://www.fifthstep.com/EU-DataProtectionRules-The-impact-onAsia
● https://www.aig.com/knowledge-and-insights/k-and-i-article-gdpr-impact-in-asia#what

Expectation from delegates

● Delegates are able to understand and share what GDPR is and what are its impacts.
● How could GDPR affects different societies and delegate’s respective jurisdictions as a
whole.
● Delegates should also be able to identify some of the challenges in implementing GDPR,
both positively and negatively.
○ The Impact is not limited to only legal sphere, monetary or non-monetary, but
also on daily lives of individuals.
● In the end, delegates should come up with possible solutions to reduce or close gaps of
negative impact from GDPR as well as providing suggestions to make better.
Table Discussion 2

Right to Privacy and National Policies: The Conflicting Values

Introduction

On one hand, citizen want to have their personal data protected and off limit from the State. On
the other, the State has its duty to ensure security among its subject through different
means—one that include breaching of privacy rights in order to obtain necessary information. To
what extent could this be done, or has the society has progressed to the point whereby privacy
has triumphed over the latter? This is to be answered through quantitative research and data
alongside with arguments and hypothesis backed by law.

Questions and expectations from delegates

1. Understanding the GDPR
● What is GDPR and its purpose ?
● Understand its principles and relevant key issues
● Be able to grasp basics of the law and subject matters.
○ This link provides basic summary of the GDPR key facts and general issues
mentioned in the law.
○ http://www.appaforum.org/resources/guidance/appa-gdpr-general-information-do
cument.html
2. Importance of privacy rights
○ Why Privacy Right matters to us?
○ Why we privacy right matters?
https://teachprivacy.com/10-reasons-privacy-matters/

● Effectiveness of existing laws in each respective national jurisdiction in Asia

○ Consider the statutory definition of personal data and sensitive date within each
jurisdiction, especially in Asia, including;
○ Data protection principles
● Responsibilities of the data user and data processor
● Rights of the data subject
● Roles and functions of the data protection authority
● Evaluation of performance of the functions of the data protection authority
 ● Basic materials :
https://rightsinfo.org/the-right-to-privacy-and-why-it-matters/

3. Duties of the state

● Mechanism is each countries to protect privacy
● Exemplary cases of the conflicting values
● Pros/Cons of state surveillance in each aspects
o Security
o Political
o Economic

Basic materials :
https://www.mprnews.org/story/2013/06/18/daily-circuit-government-surveillance

Expectation
● Delegates are expected to understand the principles and how the GDPR works.
● During the discussion, each are expected to share the information of their own countries
measures and their own opinions towards the topics.
● At the end of the session, the whole table are able to find the extent of other fundamental
rights versus right to privacy
● Eventually, delegates should be able to demonstrate their method on striking the balance
of these rights and argue why one should prevails.
Table Discussion 3

Data Commercialization: Implication of Surveillance Economy

and others
Introduction

While data commercialization yields result that allows data subject to experience seamless
comfortability when browsing through websites, such as YouTube or Amazon, in which the
stuffs that you are interested upon will frequently be suggested for you. Data profiling, alongside
with data collection may also be used in the purpose other than to enhance data subject’s
experience. This may result in data commercialization, which means data are being sold off to
other marketing agencies or being manipulated to suit the advertisement campaign. Multibillion
conglomerations are made from data commercialization. However, there is a slippery slope that
data commercialization may turn into a surveillance economy where data subjects are
manipulated.

Questions and expectations from delegates

1. Understanding the GDPR

● What is GDPR and its purpose?
● Understand its principles and relevant key issues
● Implicate GDPR on your local jurisdictions
○ GDPR’s extraterritorial application

2. Ethical standpoint of data commercialization

● On one hand, while the usage of personal data by data processor/controller is based upon
the data subject's consent, even so, it leads to the discussion whether selling personal data
of data subject ethical even if the consent is obtained.
● “Using data for targeting advertising is one thing, but when personal data is used to
influence the way consumers live and the decisions they make, companies wade in murky
waters.” What do you think about this statement?
○ Highly suggested for you to take a look into the recent Facebook, Google,
Instagram, and Whatsapp lawsuit.
■ E.g. Facebook allegedly hid the consent for data processing, in order to
conduct target advertisement under the vaguely termed privacy policies.
Facebook then processed your personal data and commercialize it in its
ads campaign to its client. Is this legal? Is this ethically sound?
 ■ Basic Materials:
https://www.theregister.co.uk/2018/05/25/schrems_is_back_facebook_goo
gle_get_served_gdpr_complaint/​ (take a look at the complaint pdf link
herein)
● While data commercialization, upon consent, allows users of websites/services to
maximize their experiences (e.g. YouTube suggests video, Facebook/Instagram suggests
ads, Amazon has suggested products), in the wake of the ​Cambridge Analytica Scandal
(see:​https://www.theguardian.com/technology/2018/jul/11/facebook-fined-for-data-breac
hes-in-cambridge-analytica-scandal​), it calls into question of the ethical standard
referring to social media companies, politics, and polician’s conduct. The data was
obtained without consent from the users.

3. Balancing data commercialization with consumer’s trust

● In the most recent scandalous phenomena, consumers are now aware, more than ever,
that their data are used in an operation beyond the extent to which they had initially
agreed. This results in the loss of consumer’s trust. How should businesses balance their
data commercialization with consumers’ trust?
(see:​https://go.forrester.com/what-it-means/ep61-dark-side-of-data/​)
● “ A growing number of organizations in the private and public sectors recognize the
opportunities and business potential that their data provides. The mission is to turn their
data into data assets and insights-driven services and commercialize and monetize on
them.”
(see:​https://medium.com/value-stream-design/data-commercialization-moves-to-insights-
commercialization-part-1-542fd625b00b​). To what extent to do you think should be
permissible under your data privacy law?
● Being aware of the recent movement on “data monetization” is extremely important in
understanding the influence of consumer’s data from a legal perspective. What are some
potential pitfall of data monetization that you can think of?
(see:​https://deloitte.wsj.com/cio/2015/06/30/the-dangers-of-monetizing-data/​)

Expectation
● Awareness of the pro and cons of data commercialization, together with its business and
legal implication.
● Awareness of the abuse of data happening and human rights implication behind such
conduct.
● Be able to identify pitfalls and the slippery slope of data commercialization (i.e data
monetization).
● Be able to identify business practice in your local jurisdictions and benchmark them to
international privacy policy standards.
Table Discussion 4

Data Protection in Balance with Other Fundamental Rights

Introduction

“Processing of personal data should be designed to serve mankind. The right to the protection of
personal data is not an absolute right; it must be considered in relation to its function in society
and be balanced against other fundamental rights, in accordance with principle of
proportionality.”
— GDPR Recital 4
While the importance of privacy right is significance, it shall not be overstated and overly
dramatized such that it draws away attention of the world from the other fundamental rights.
Balance shall be strike as to which extent data protection shall be upheld factoring in other
rights.

Questions and expectations from delegates

1. Understanding the GDPR

● What is GDPR and its purpose ?
● Understand its principles and relevant key issues
● Be able to grasp basics of the law and subject matters.
○ This link provides basic summary of the GDPR key facts and general issues
mentioned in the law.
○ http://www.appaforum.org/resources/guidance/appa-gdpr-general-information-do
cument.html

Basic materials :

2. What are fundamental rights

● What are fundamental rights ?
● Perspective towards the privacy rights
● Is privacy right a fundamental rights? Why or why not
○ Case example such as
https://www.eff.org/th/deeplinks/2017/08/indias-supreme-court-upholds-right-pri
vacy-fundamental-right-and-its-about-time

Basic materials: ​https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2273074

3. Personal data protection and other rights
● Data protection measures of each states
○ GDPR and its implementation
○ Internal laws
○ Treaties
● Conflict of fundamental rights
● Finding the balance

Basic materials : ​http://jean-monnet-saar.eu/wp-content/uploads/2013/12/Blueprint-0216.pdf

Expectation

● Delegates are expected to understand the principles and how the GDPR works.
● The objectives of the discussion are to encourage delegates to speak out their thoughts
also sharing the information of each countries’ measures and perspectives towards the
issue. As the reason, AA team is highly recommended for each delegate to do some extra
research on your own domestic law to advance the discussion content.
● Conclude the discussion and find the balance of data protection and other fundamental
rights.
Table Discussion 5

Mass Surveillance: Double-Sided Sword

Introduction

The issue of the national security and personal privacy has long been in a debate. As it is, the
perspective of different values makes it so that the states usually hold the values of duty to
protect the security of the nation and assume that it could freely access to all the citizenry data.

On the other hand, people regard this action as an invasion of privacy rights and refuse to
comprehend the underlying justification. Therefore, the questions need to be raised; where
should the line be drawn to compromise and to achieve both value?

Questions and Expectations from Delegates

1. Understanding the GDPR

● What is GDPR and its purpose?
● Understand its principles and relevant key issues
● Implications of GDPR on your local jurisdictions
○ GDPR’s extraterritorial application
● (see: ​https://eugdpr.org/​ to understand more about GDPR)
● Understand how GDPR does not cover conduct of State’s surveillance under the guise of
national security.

2. Understanding Mass Surveillance

● What is a mass surveillance and why does it existence threatens our privacy rights and
personal security? (see:
https://www.techcentral.ie/snowden-mass-surveillance-problem-masses/​)
● Why does mass surveillance becomes a thing all of the sudden (see:
https://www.bbc.com/news/world-us-canada-22837100​)

3. Understanding the Safeguard your Jurisdiction has on Mass Surveillance

● What safeguards are there in an international arena? (see:
https://iapp.org/news/a/is-personal-data-better-protected-from-government-surveillance-i
n-europe-th/​)
 ● In-depth look to understand how these safeguard works in other jurisdiction.
(​https://www.hldataprotection.com/files/2013/05/A-Sober-Look-at-National-Security-Ac
cess-to-Data-in-the-Cloud.pdf​)
● What are some existing international instrument that safeguard your privacy rights
against the government? (see:
https://www.ohchr.org/EN/NewsEvents/Pages/DisplayNews.aspx?NewsID=15200​)
● Is there such safeguard in your country? If not, do you think your country need one and
why? Any particular threatening news about your government’s abuse of authority to
encorach upon your personal privacy rights?
4. ​Strike the Balance between Privacy and Security
● How is it done in other countries? (see:
https://www.atlanticcouncil.org/blogs/new-atlanticist/striking-a-balance-between-privacy
-and-security​)
● What are the values to consider in balancing the equation? (see:
https://the-parallax.com/2017/05/10/balance-security-digital-privacy-law-qa/​)
● How will you strike such line in your jurisdiction?

Expectation
● Delegates are able to understand GDPR and its multifold influence on the current status
quo.
● Delegates are able to understand how mass surveillance is a double-sided sword.
● Delegates are able to know the factors that are involved in balancing the equation
between privacy and security.
● Delegates are able to know which safeguards are in place against the government abuse
of its authority.
● Delegates are to be aware of which international instrument safeguard the data subject’s
right against government abuse of its authority.