DIGITAL

GOVERNANCE,
THE CONCEPT
VERA LÚCIA RAPOSO / 黎慧華
ASSOCIATE PROFESSOR AT THE FACULTY OF LAW OF MACAU
UNIVERSITY, CHINA / 澳門大學法學院副教授
AUXILIARY PROFESSOR AT THE FACULTY OF LAW OF COIMBRA
UNIVERSITY, PORTUGAL / 葡國科英布拉大學法學院助理教授
VRAPOSO@UM.EDU.MO / VERA@FD.UC.PT
OVERVIEW OF
THIS SEMINAR

• Concept of digital governance

• The relevance of data
• Concept of data governance
• The internet (who governs the
internet?)
• Social media (who governs social
media?)
 THE CONCEPT OF
DIGITAL
GOVERNANCE

Digital governance is a system that

helps to establish lines of
accountability, roles and decision-
making authority in the digital world.
PRIVATE DATA,
DATA
GOVERNANCE
AND THE GDPR
Data are more valuable than oil.
Data are the most valuable asset in
the world.

The discussion usually focuses on why

this is a bad thing.
Shoul we ban data processing?
DATA CAN SAVE LIVES
Harvard Medical School published
research comparing the accuracy of machine learning
systems against human pathologists in detecting
breast cancer. The machine learning was 92%
accurate, but humans were 96% accurate.

Harvard then combined the pathologists' discoveries

with the scans of the machine learning systems. The
accuracy soared to 99.5%.

Instead of 40 mistaken diagnosis por 1000

we could reach just 5 mistaken
diagnosis por 1000
DATA CAN SAVE
LIVES AND
CLEAR THE AIR

Hundreds of petabytes of data that

form the data lake from which the AV
self-driving advanced machine
learning solutions will come.
BUT DATA ALSO HAVE A DARK, EXTREMELY DARK SIDE
.RESEARCH BY THE INTERNATIONAL DATA CORPORATION ESTIMATED THAT THE VOLUME OF DIGITAL DATA HAVE
EXPANDED AT A COMPOUND ANNUAL GROWTH RATE OF 42% OVER THE DECADE OF 2010 TO 2020.
 Data governance: policies, processes
THE (including technologies) and people
involved in managing and protecting data.
CONCEPT OF
DATA It requires the clarification of the follwing
GOVERNANC issues:
E • how and where it is stored and sent?
• who has access to it and to what level?
• what actions can be performed on the data?
• by whom, when, using what methods and under
what circumstances?
 Governance

Risk
assessment

Compliance Data governance must

be proactive and reactive
DATA
GOVERNANCE
AND THE GDPR
(REGULATION (EU) 2016/679 OF
THE EUROPEAN PARLIAMENT
AND OF THE COUNCIL OF 27
APRIL 2016 ON THE
PROTECTION OF NATURAL
PERSONS WITH REGARD TO
THE PROCESSING OF PERSONAL
DATA AND ON THE FREE
MOVEMENT OF SUCH DATA,
AND REPEALING DIRECTIVE
95/46/EC (GENERAL DATA
PROTECTION REGULATION)
GDPR AND PERSONAL
DATA • Personal data: any data that can be used
to directly or indirectly identify a person
(data subject).

• Sensitive data: Personal data that contains

information about the data subject’s racial
or ethnic origins, political opinions,
religious or philosophical beliefs, physical
or mental health, sex life, genetic and
biometric data or membership in a trade
union. It also includes information
regarding criminal history and criminal
court proceedings against a data subject.
 A data subject is an identified or identifiable natural person.

THE A natural person is defined as an individual human being; it

CONCEPTS does not include a corporation or other legal entity that may be
considered a “person” for legal purposes.

USED BY THE
GDPR Any data refers to information such as names, addresses, email
addresses, IP addresses, identification numbers, biometric
identifiers (fingerprints, iris patterns, DNA, physical or
physiological attributes) occupation, location, medical/health
information or even website cookies.

GDPR Recital 30 addresses online identifiers that include

“devices, applications, tools, and protocols, such as internet
protocol addresses, cookie identifiers or other identifiers such
as radio frequency identification tags.”
 Controller: the natural or legal person,
public authority, agency or other body
that, alone or jointly with others,
determines the purposes and means of the
processing of personal data; where the
purposes and means of such processing
are determined by Union or Member State
law, the controller or the specific criteria
for its nomination may be provided for by
ARTICLE 4 Union or Member State law.

GDPR
Processor: a natural or legal person, public
authority, agency or other body that
processes personal data on behalf of the
controller.
Chapter 4 (Articles 24-43) lays out the responsibilities
of controllers and processors in complying with the
regulation, including:
 security of processing - implement and enforce the
principles and policies of data governance
 records of processing activities- document
adherence to the data governance plan
THE
PRINCIPLES OF
THE GDPR

Article 5 GDR: The principles are aimed at

ensuring that personal data is collected
lawfully, is accurate, is properly secured
and is limited in purpose, use and duration
of storage.
 Controllers and processors ‘shall implement
appropriate technical and organisational measures to
SECURITY IN ensure a level of security appropriate to the risk’

DATA
PROCESSING: It specifically mandates pseudonymisation and
encryption of personal data

ARTICLE 32
OF THE GDPR Requires ‘the ability to ensure the ongoing
confidentiality, integrity, availability and resilience of
processing systems and services.’

Security measures should include, ‘the ability to

restore the availability and access to personal data in a
timely manner in the event of a physical or technical
incident.’
Pseudonymisation is defined within the GDPR as the processing
of personal data in such a way that the data can no longer be
attributed to a specific data subject without the use of additional
information, as long as such additional information is kept
separately and subject to technical and organizational measures
to ensure non-attribution to an identified or identifiable
individual (Article 4(5)).

Encryption is a process that encodes a message or file so that it

can be only be read by certain people. Encryption uses an
algorithm to scramble, or encrypt, data and then uses a key for
the receiving party to unscramble, or decrypt, the information
DATA SUBJECT RIGHTS SET FOR IN THE GDPR

Right to be informed
Right to submit requests
Right to access their about details regarding
for data rectification and
personal data associated processing
erasure
activities

Right to not be subject to

Right to object to the a decision based solely on
The right to data
processing of their automated processing if
portability
personal data the decision significantly
affects the data subject.
EUROPEAN COMMISSION PUBLISHED THE DRAFT OF THE DATA
GOVERNANCE ACT

The DGA outlines how digital services should handle data in the future and is part of the 2020 European
Strategy for Data.
FOUR PILLARS OF THE DGA
•Re-Use of Public Sector Data: to be compatible with
the general data protection regulation (GDPR, the
draft dga states that the fundamental rights of data
protection, privacy, and property (intellectual
property rights) are to be respected

•Trusted intermediaries: neutrality of data sharing

service providers as a key element of trust and
control between data holders and data users. data
sharing service providers can act only as
intermediaries in the transactions, and must not use
the data exchanged for any other purpose.
 FOUR PILLARS OF THE
DGA

•Data Altruism: authorisation framework and a

standard consent form for data altruism schemes

•Creation of the European Data Innovation Board:

oversight of data sharing services providers, ensure
consistent practice in processing requests for public
sector data, and advise the european commission
EU DIGITAL SINGLE MARKET
• Businesses will be able to achieve
scale and have access to better
information and lower transaction
costs.

• Consumers will be able to benefit

from higher number of offers at
lower prices.

• Removing remaining barriers to

the digital single market can add
up to € 415 billion to European
GDP
THE ENTIRE EU DATA SET… IS IT TOO
MUCH?
• Database Directive (Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the legal protection of
databases) which gives protection to those that invest in structuring data into an organised form

• General Data Protection Regulation , Regulation (EU) 2016/679 (GDPR), which governs use of personal data,

• Regulation on the free-flow of non-personal data (Regulation (EU) 2018/1807 of the European Parliament and of the Council of
14 November 2018 on a framework for the free flow of non-personal data in the European Union)

• Open Data Directive (Directive (EU) 2019/1024 of the European Parliament and of the Council of 20 June 2019) on open data
and the re-use of public sector information that already supports re-use of public sector datasets

• New Governancw Data Act, for 2021

THE INTERNET AND
DATA INTERNET
GOVERNANCE

What is the internet?

 WHO GOVERNS THE
INTERNET?

Bringing the stakeholders (who are they?) together in Internet governance

SOME KEY PLAYERS

 INTERNET • ICANN was often criticized by the international community of
nation states for being an only semi-independent stakeholder-
CORPORATION driven organization, due to the privileged position of the U.S.
Department of Commerce to coordinate and manage the
FOR ASSIGNED Internet Assigned Numbers Authority (IANA)

NAMES AND
NUMBERS • In October 2016, the legal contract that granted the U.S.

(ICANN) government significant oversight over ICANN finally expired

 • US-based non-profit organization

• “Internet policy, technology standards, and future development

INTERNET [and] to ensure the Internet continues to grow and evolve as a
platform for innovation, economic development, and social
SOCIETY (ISOC) progress for people around the world”.

• Governed by a diverse Board of Trustees,

 • Founded in 1868, and thus considered as one of the oldest inter-
governmental organizations

INTERNATIONAL • A specialized agency of the United Nations

TELECOMMUNICAT
ION UNION (ITU) • “mission to enable the growth and sustained development of
telecommunications and information networks, and to facilitate
universal access so that people everywhere can participate in,
and benefit from, the emerging information society and global
economy”.
ICANN or the Internet Society
• US
(ISOC) pursue a multi-
stakeholder approach based • EU
on private sector organization

ITU working groups represent

a telecommunications
governance regime that is
• China, Russia,
international and centered on
nation-states, thus non-state Brazil, Arab States
stakeholders are still largely
excluded
THE INTERNET IN
CHINA

In 2010, China’s State Council Information Office

(SCIO) published the country’s first white paper on
internet policy.

PROHIBITED TOPICS :
‘disrupting social order and stability’
‘damaging state honour and interests’
Cyberspace Administration of China

China Security Law requires all network

operators to monitor user-generated
content for information that is
‘prohibited from being published or
transmitted by laws or administrative
regulations’.

The Chinese digital control

Chinese censorship is bad for

international business
 Comments?

HTTPS://WWW.COMPARITECH.COM/BLOG/VPN-
PRIVACY/INTERNET-CENSORSHIP-MAP/
GOVERNMENTS AND DIGITAL
GOVERNANCE

Is technology pro or against democracy and the rule of law?

HERE IS WHAT
WE KNOW

• Technology affects both the ability of

opposition groups to mobilize and the
ability of governments to prevent such
mobilization

• Changes in technology are correlated in

time and space with other social
changes that can affect the ability of
authoritarian governments to stay in
power
GOVERNMENTS, NEW TECHNOLOGIES AND
FUNDAMENTAL RIGHTS: INDIA

• Aadhaar system of biometric identification: authenticating the identities of individuals who apply for
services both from government and the private sector.

• To enrol in the Aadhaar system, an individual must provide fingerprints, iris biometric information, and
demographic details, all of which are stored on a central database.

• Justice K S Puttaswamy and others v Union of India and others, Supreme Court of India, 24 august 2017
and 26 September 2018
MEDIA

AND

SOCIAL
MEDIA
GOVERNAN
CE
Who governs social
media?
WHO RULES IN
SOCIAL MEDIA?
 PRIVATE COMPANIES AND DIGITAL GOVERNANCE

Freedom of expression means that the government cannot restrict

what individuals say, subject only to certain limitations.

What about private companies? Can they restrict free speech?

Whether it is possible to effectively prevent online harm while

protecting freedom of expression and privacy remains to be seen

Data capitalism
 Can we create laws to govern the internet?

• A notable example is the German Network Enforcement Law, or Netzgesetz, which came into force at
the beginning of 2018. The Netzgesetz covers a narrower field of services and platforms, and regulates
a narrow array of harms, focussing only on content that is unlawful under the German Criminal Code

• In April 2019, the UK government published its Online Harms White Paper, which proposed an
ambitious and far-reaching framework for the regulation of digital media. One of the key
recommendations is a statutory duty of care owed by all companies and institutions that own or
manage websites which host or facilitate the sharing or discovery of user-generated content.
 Citizen
Private
companies

Government

New technologies
Digital governance
REFERENCES

Liu, Hin-Yan (2019). ‘The Digital Disruption of Human Rights Foundations’. In: Human Rights, Digital Society
and the Law (Mart Susi ed.), pp. 75-86. Routledge: London.

Netflix Documentary “The Great Hack”

Netflix Documentary“Social Dilemma”